Home

🎣Phishing Notes

Phishing Email Analysis

What Is Phishing?

Phishing is one of attack that aimed to steal any data from user by generally clicking any linked link to user through email or download malicious file to their computer.

In cyber chain , phishing attack happen in delivery phase. This phase is the step for attacker transmit the harmful content to victim system/user.

Phase of Intrusion Kill Chain

In conclusion, phishing mostly aim for user to click on their link given to gain initial access. In other words, phishing is attack on exploit human factor and weakness.

Information Gathering

Spoofing

An attacker intent to trick target into giving up personal information to initiate or gain access to something valuable/secret.

Attack can send email behalf of other person since emails doesn’t need authentication mechanism to identify real user. This technique known as spoofing where user/target believe that incoming email come from legit person/reliable.

Protocol

Since proofing technique being use, some of protocol had been created to counter this technique. Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) and DMARC protocol being used to prevent email spoofing by checking sender address is fake or real one. However, this protocol is not mandatory since some cases it causes problems.

Analysis

  1. SMTP of email addresses need to be study first in manual analysis.

  2. SPF, DKIM, DMARC and MX records of domain can be learned by third parties’ software such as Toolbox.

  3. From this software, it will show either email is from legit or not.

Beside that, since most of company had their own email server, it can be examined through SMTP address either it belongs to their company or not by looking at WHOIS record of SMTP IP addresses.

If the sender email not a spoof, it still can be harmful if the legit user being hacked/compromise and the attacker use their email.

Email Analysis

Email Header

Header is section of email that contain information such sender, recipient, and date. It also contains Return-Path, Reply-To and Received. Some of example email header:

Example of header in .eml

Return-Path is hidden email header that indicates where and how bounced email will process. It also being referred as bounce address or reverse path.

Return path work by directing where bounced message should go when they cannot be delivered.

Reply to is where user reply to the message. It been used when the email address different from sender. Eg Sender:address@add.com Replyto:reply@add.com

Received are the important part. It will form a list of all server/computer through where the message travel in order to reach user.

First received indicated user mail server and the Lastreceived is where mail come.

From header, it have lot of receive. First receive refer to the top one and last receive is at bottom.

2. From field indicate name and email address of sender

Domain Key and DKIM Signature is email signature that help email services provide identify and authentication email, it like SPF signature.

Mime Version is internet standard of encoding. It convert attachment into text so that it can be send through SMTP.

Access Email Header?

  1. Open email suspected.

Sample email

2. Find download message/save as (.eml) on top right.

Step to download

3. Open the file with .eml extension in any notebook application.

I use notepad ++

For outlook email platform

Go to file > Info > Properties>Internet Header (For outlook)

It will show the Internet Header.

Analysis Email Header

In this cases, I used LetDefend Exercise to show how to analysis email header.

Sample Header

  1. Do cross check for sender and received from field.

  • From the information, we know that sender from letsdefend[.]io

  • To conclude, sender and received from must have same address. To check we can use MxToolBox.

mxtoolbox for investigation

2. From our search, we know that letsdefend[.]io use google address as email server. Back to our finding in 1. It show different IP address.

3. This email are being spoofed.

4. Next, we also can check on reply-path/reply-to and From.

Proof of spoofing

To conclude, this email is spoofing, and the attacker try to steal personal data from user.

Dynamic Analysis.

  • This step being used to identify manually link URL or attachment are harmful to user or legit. For this case, I use sandbox environment which is anyrun.

anyrun dashboard

From the email, download attachment file and add new task. Drag downloaded file into it section. Run a public task.

See malicious attachment in virtual environment

Open virusTotal to scan md5 hash.

Result virustotal

Always look for md5 hash or sha256 for reference

From above research we know that file attachment are infected with trojan malware.

Next step, malware analysis. In this topic I don’t cover it since it just to search and detect specifically phishing email .

Recommendation.

  1. Don’t click any suspicious link or URL and downloaded unknown file attachment.

  2. Do not reply to the email. Contact the sender institution or person directly to confirm it.

  3. Do not enter any personal information or sensitive data from given unknown given URL.

  4. Report suspicious email to IT department.

  5. Delete the message.

  6. If you had done replying, open the attachment or enter any sensitive information, let IT department known about this. Change your password and credential immediately.

PreviousOtherNextNmap CheatSheat

Last updated