Phishing Analysis Fundamentals

Learn all the components that make up an email.

Introduction

Spam and Phishing are common social engineering attacks. In social engineering, phishing attack vectors can be a phone call, a text message, or an email.

Phishing is a serious attack vector that an analyst will have to defend against.

An organization can follow all the recommended guidelines when it comes to building a layered defense strategy. Still, all it takes is an inexperienced and unsuspecting user within your corporate environment to click on a link or download and run a malicious attachment which may provide an attacker a foothold into the network.

Many products help combat spam and phishing, but realistically these emails still can get through. When they do, s Security Analyst will need to know how to analyze these emails to determine if they're malicious or benign.

Furthermore, they will need to gather information about the email to update security products to prevent malicious emails from making their way back into a user's inbox.

The Email Address

What makes up an email address?

  1. User Mailbox (or Username)

  2. @

  3. Domain

To simplify, think about the street on which you live on.

  • You can think of your street as the domain.

  • The recipient's first/last name, along with the house number in this scenario, represents the user mailbox.

Email Delivery

There are 3 specific protocols involved to facilitate the outgoing and incoming email messages:

  • SMTP (Simple Mail Transfer Protocol) - Utilized to handle the sending of emails

  • POP3 (Post Office Protocol) - Transfers email between a client and a mail server

  • IMAP (Internet Message Access Protocol) -Transfers email between a client and a mail server

Both POP3 and IMAP have the same definition. But there are differences between the two.

POP3

  • Emails are downloaded and stored on a single device.

  • Sent messages are stored on the single device from which the email was sent.

  • Emails can only be accessed from the single device the emails were downloaded to.

  • If you want to keep messages on the server, make sure the setting "Keep email on server" is enabled, or all messages are deleted from the server once downloaded to the single device's app or software.

IMAP

  • Emails are stored on the server and can be downloaded to multiple devices.

  • Sent messages are stored on the server.

  • Messages can be synced and accessed across multiple devices.

How email travels from the sender to the recipient:

  1. Alexa composes an email to Billy (billy@johndoe.com) in her favorite email client. After she's done, she hits the send button.

  2. The SMTP server needs to determine where to send Alexa's email. It queries DNS for information associated with johndoe.com.

  3. The DNS server obtains the information johndoe.com and sends that information to the SMTP server.

  4. The SMTP server sends Alexa's email across the Internet to Billy's mailbox at johndoe.com.

  5. In this stage, Alexa's email passes through various SMTP servers and is finally relayed to the destination SMTP server.

  6. Alexa's email finally reached the destination SMTP server.

  7. Alexa's email is forwarded and is now sitting in the local POP3/IMAP server waiting for Billy.

  8. Billy logs into his email client, which queries the local POP3/IMAP server for new emails in his mailbox.

  9. Alexa's email is copied (IMAP) or downloaded (POP3) to Billy's email client.

Each protocol has its associated default ports and recommended ports. For example, SMTP is port 25.

Read the following article to understand the difference between each here.

What port is classified as Secure Transport for SMTP?

465

What port is classified as Secure Transport for IMAP?

993

What port is classified as Secure Transport for POP3?

995

Email Headers

To manually analyze potentially malicious emails, it is important to understand the components of what makes up an email message when it arrives in an inbox.

There are two parts to an email:

  • the email header (information about the email, such as the email servers that relayed the email)

  • the email body (text and/or HTML formatted text)

The syntax for email messages is known as the Internet Message Format (IMF).

What to look for in email header fields when analyzing a potentially malicious email:

  1. From - the sender's email address

  2. Subject - the email's subject line

  3. Date - the date when the email was sent

  4. To - the recipient's email address

  5. X-Originating-IP - The IP address of the email was sent from (this is known as an X-header)

  6. Smtp.mailfrom/header.from - The domain the email was sent from (these headers are within Authentication-Results)

  7. Reply-To - This is the email address a reply email will be sent to instead of the From email address

Additional resource from Media Temple on how to analyze email headers:

What email header is the same as "Reply-to"?

Return-Path

Once you find the email sender's IP address, where can you retrieve more information about the IP?

http://www.arin.net/

Email Body

The email body is the part of the email which contains the text (plain or HTML formatted) the sender wants you to view.

HTML is what makes it possible to add elements to an email such as images and embedded hyperlinks.

Emails may contain attachments. These can be viewed from an email's HTML format or by viewing the source code.

Warning: When interacting with attachments, proceed with caution and make sure you don't double-click an email's attachment by accident.

Note: Headers specific to 'content' can be found in various locations within an email message source code, and they're not only associated with attachments. For example, Content-Type can be text/html, and Content-Transfer-Encoding can have other values, such as 8bit.

In the attached virtual machine, view the information in email2.txt and reconstruct the PDF using the base64 data. What is the text within the PDF?

Types of Phishing

Different types of malicious emails can be classified as one of the following:

  • Spam - unsolicited junk emails sent out in bulk to a large number of recipients. The more malicious variant of Spam is known as MalSpam.

  • Phishing - emails sent to a target(s) purporting to be from a trusted entity to lure individuals into providing sensitive information.

  • Spear phishing - takes phishing a step further by targeting a specific individual(s) or organization seeking sensitive information.

  • Whaling - is similar to spear phishing, but it's targeted specifically to C-Level high-position individuals (CEO, CFO, etc.), and the objective is the same.

  • Smishing - takes phishing to mobile devices by targeting mobile users with specially crafted text messages.

  • Vishing - is similar to smishing, but instead of using text messages for the social engineering attack, the attacks are based on voice calls.

With phishing, the techniques are usually the same. The objective can be to harvest credentials, and another is to gain access to the computer.

Below are typical characteristics phishing emails have in common:

  • The sender email name/address will masquerade as a trusted entity (email spoofing)

  • The email subject line and/or body (text) is written with a sense of urgency or uses certain keywords such as Invoice, Suspended, etc.

  • The email body (HTML) is designed to match a trusting entity (such as Amazon)

  • The email body (HTML) is poorly formatted or written (contrary from the previous point)

  • The email body uses generic content, such as Dear Sir/Madam.

  • Hyperlinks (oftentimes uses URL shortening services to hide its true origin)

  • A malicious attachment posing as a legitimate document

Reminder: When dealing with hyperlinks and attachments, you need to be careful not to accidentally click on the hyperlink or the attachment.

Hyperlinks and IP addresses should be 'defanged'. You can read more about this technique here.

What trusted entity is this email masquerading as?

What is the sender's email?

What is the subject line?

What is the URL link for - CLICK HERE? (Enter the defanged URL)

Term to know:

BEC (Business Email Compromise) is when an adversary gains control of an internal employee's account and then uses the compromised email account to convince other internal employees to perform unauthorized or fraudulent actions.

Last updated