# Phishing Analysis Tools ### What Information Should We Collect? Pertinent information an analyst is to collect from the email header: * Sender email address * Sender IP address * Reverse lookup of the sender IP address * Email subject line * Recipient email address (this information might be in the CC/BCC field) * Reply-to email address (if any) * Date/time Afterward, draw attention to the email body and attachment(s) (if any). 2.16.107.24:443Artifacts an analyst needs to collect from the email body: * Any URL links (if an URL shortener service was used, obtain the real URL link) * The name of the attachment * The hash value of the attachment (hash type MD5 or SHA256, preferably the latter) Warning: Be careful not to click on any links or attachments in the email accidentally. ### Email Header Analysis Some information to collect can be obtained visually from an email or web client while other information can only be obtained via the email header. [**Messageheader** ](https://toolbox.googleapps.com/apps/messageheader/analyzeheader)from the Google Admin Toolbox can assist with analyzing email headers by copy and pasting the entire email header and running the analysis tool. \ \ Similar tools include [Message Header Analyzer](https://mha.azurewebsites.net/) and [Mail Header](https://mailheader.org/). **Message Transfer Agent** ([MTA](https://csrc.nist.gov/glossary/term/mail_transfer_agent)) is software that transfers emails between sender and recipient. Read about Mail User Agent (MUAs) [here](https://csrc.nist.gov/glossary/term/mail_user_agent). It is good to have multiple resources to refer to as each tool might reveal information that another tool may not reveal. Below are tools that can help analyze information about the sender's IP address: * IPinfo.io: * URLScan.io: Other tools that provide the same functionality and more: [URL2PNG](https://www.url2png.com/) and [Wannabrowser](https://www.wannabrowser.net/). * Talos Reputation Center: ### Email Body Analysis A malicious payload may be delivered to the recipient as a link or attachment in the email body. Links can be extracted manually from an HTML formatted email or by sifting through the raw email header. Online tools that can aid with this task are [URL Extractor](https://www.convertcsv.com/url-extractor.htm) and [CyberChef](https://gchq.github.io/CyberChef/). **Tip**: Note the root domain for the extracted URLs to perform an analysis on the root domain as well. After extracting the URLs, next check the reputation of the URLs and root domain using any of the tools mentioned. If the email has an attachment, obtain the attachment safely. After obtaining the attachment, get its hash and check the file's reputation with the hash to see if it's a known malicious document. Helpful tools would be [Talos File Reputation](https://talosintelligence.com/talos_file_reputation) or [VirusTotal](https://www.virustotal.com/gui/). Another tool/company worth mentioning is [Reversing Labs](https://www.reversinglabs.com/), which also has a [file reputation service](https://register.reversinglabs.com/file_reputation). ***How can you manually get the location of a hyperlink?*** Copy link location ### Malware Sandbox Malware analysis skills are not needed as Defenders to dissect and reverse engineer malicious attachments as online tools and services (**malware sandboxes)** allow malicious file uploads for provided analysis to under the malware. Some online malware sandboxes: * [Any.Run](https://app.any.run/) * [Hybrid Analysis](https://www.hybrid-analysis.com/) * [JoeSecurity ](https://www.joesecurity.org/) ### PhishTool A tool that will help with automated phishing analysis is [PhishTool](https://www.phishtool.com/). PhishTool combines threat intelligence, OSINT, email metadata and battle tested auto-analysis pathways into one powerful phishing response platform. There is a free community edition available for download. ### Phishing Case 1 **Scenario**: As a Level 1 SOC Analyst, several suspicious emails have been forwarded from other coworkers. Obtain details from each email to implement the appropriate rules to prevent colleagues from receiving additional spam/phishing emails.

***What brand was this email tailored to impersonate?*** Netflix ***What is the From email address?*** ***What is the originating IP? Defang the IP address.*** 209\[.]85\[.]167\[.]226 ***From what you can gather, what do you think will be a domain of interest? Defang the domain.*** etekno\[.]xyz ***What is the shortened URL? Defang the URL.*** hxxps\[://]t\[.]co/yuxfZm8KPg?amp=1 ### Phishing Case 2 **Scenario**: As a Level 1 SOC Analyst, several suspicious emails have been forwarded from other coworkers. Obtain details from each email to implement the appropriate rules to prevent colleagues from receiving additional spam/phishing emails. Link: ***What does AnyRun classify this email as?***

***What is the name of the PDF file?*** Payment-updateid.pdf ***What is the SHA 256 hash for the PDF file?***

cc6f1a04b10bcb168aeec8d870b97bd7c20fc161e8310b5bce1af8ed420e2c24

***What two IP addresses are classified as malicious? Defang the IP addresses. (answer: IP\_ADDR,IP\_ADDR)***

***What Windows process was flagged as Potentially Bad Traffic?***

### Phishing Case 3 **Scenario**: As a Level 1 SOC Analyst, several suspicious emails have been forwarded from other coworkers. Obtain details from each email to implement the appropriate rules to prevent colleagues from receiving additional spam/phishing emails. Link: ***What is this analysis classified as?***

***What is the name of the Excel file?*** CBJ200620039539.xlsx ***What is the SHA 256 hash for the file?***

5f94a66e0ce78d17afc2dd27fc17b44b3ffc13ac5f42d3ad6a5dcfb36715f3eb

***What domains are listed as malicious? Defang the URLs & submit answers in alphabetical order. (answer: URL1,URL2,URL3)***

biz9holdings[.]com,findresults[.]site,ww38[.]findresults[.]site

***What IP addresses are listed as malicious? Defang the IP addresses & submit answers from lowest to highest. (answer: IP1,IP2,IP3)***

103[.]224[.]182[.]251,75[.]2[.]11[.]242,204[.]11[.]56[.]48

***What vulnerability does this malicious attachment attempt to exploit?***

### Conclusion Other tools not covered: * * * --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://jacob-taylor.gitbook.io/security-analyst/path-7/phishing/phishing-analysis-tools.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.