Phishing Analysis Tools

Learn the tools used to aid an analyst to investigate suspicious emails.

What Information Should We Collect?

Pertinent information an analyst is to collect from the email header:

• Sender email address

• Sender IP address

• Reverse lookup of the sender IP address

• Email subject line

• Recipient email address (this information might be in the CC/BCC field)

• Reply-to email address (if any)

• Date/time

Afterward, draw attention to the email body and attachment(s) (if any).

2.16.107.24:443Artifacts an analyst needs to collect from the email body:

• Any URL links (if an URL shortener service was used, obtain the real URL link)

• The name of the attachment

• The hash value of the attachment (hash type MD5 or SHA256, preferably the latter)

Warning: Be careful not to click on any links or attachments in the email accidentally.

Email Header Analysis

Some information to collect can be obtained visually from an email or web client while other information can only be obtained via the email header.

Messageheader from the Google Admin Toolbox can assist with analyzing email headers by copy and pasting the entire email header and running the analysis tool. Similar tools include Message Header Analyzer and Mail Header.

Message Transfer Agent (MTA) is software that transfers emails between sender and recipient. Read about Mail User Agent (MUAs) here.

It is good to have multiple resources to refer to as each tool might reveal information that another tool may not reveal.

Below are tools that can help analyze information about the sender's IP address:

• IPinfo.io: https://ipinfo.io/
• URLScan.io: https://urlscan.io/

Other tools that provide the same functionality and more: URL2PNG and Wannabrowser.

• Talos Reputation Center: https://talosintelligence.com/reputation

Email Body Analysis

A malicious payload may be delivered to the recipient as a link or attachment in the email body. Links can be extracted manually from an HTML formatted email or by sifting through the raw email header. Online tools that can aid with this task are URL Extractor and CyberChef.

Tip: Note the root domain for the extracted URLs to perform an analysis on the root domain as well.

After extracting the URLs, next check the reputation of the URLs and root domain using any of the tools mentioned. If the email has an attachment, obtain the attachment safely.

After obtaining the attachment, get its hash and check the file's reputation with the hash to see if it's a known malicious document. Helpful tools would be Talos File Reputation or VirusTotal. Another tool/company worth mentioning is Reversing Labs, which also has a file reputation service.

How can you manually get the location of a hyperlink?

Copy link location

Malware Sandbox

Malware analysis skills are not needed as Defenders to dissect and reverse engineer malicious attachments as online tools and services (malware sandboxes) allow malicious file uploads for provided analysis to under the malware.

Some online malware sandboxes:

• Any.Run
• Hybrid Analysis
• JoeSecurity

PhishTool

A tool that will help with automated phishing analysis is PhishTool. PhishTool combines threat intelligence, OSINT, email metadata and battle tested auto-analysis pathways into one powerful phishing response platform. There is a free community edition available for download.

Phishing Case 1

Scenario: As a Level 1 SOC Analyst, several suspicious emails have been forwarded from other coworkers. Obtain details from each email to implement the appropriate rules to prevent colleagues from receiving additional spam/phishing emails.

What brand was this email tailored to impersonate?

Netflix

What is the From email address?

JGQ47wazXe1xYVBrkeDg-JOg7ODDQwWdR@JOg7ODDQwWdR-yVkCaBkTNp.gogolecloud.com

What is the originating IP? Defang the IP address.

209[.]85[.]167[.]226

From what you can gather, what do you think will be a domain of interest? Defang the domain.

etekno[.]xyz

What is the shortened URL? Defang the URL.

hxxps[://]t[.]co/yuxfZm8KPg?amp=1

Phishing Case 2

Scenario: As a Level 1 SOC Analyst, several suspicious emails have been forwarded from other coworkers. Obtain details from each email to implement the appropriate rules to prevent colleagues from receiving additional spam/phishing emails.

Link: https://app.any.run/tasks/8bfd4c58-ec0d-4371-bfeb-52a334b69f59

What does AnyRun classify this email as?

suspicious activity

What is the name of the PDF file?

Payment-updateid.pdf

What is the SHA 256 hash for the PDF file?

cc6f1a04b10bcb168aeec8d870b97bd7c20fc161e8310b5bce1af8ed420e2c24

What two IP addresses are classified as malicious? Defang the IP addresses. (answer: IP_ADDR,IP_ADDR)

2[.]16[.]107[.]24

2[.]16[.]107[.]83

What Windows process was flagged as Potentially Bad Traffic?

svchost.exe

Phishing Case 3

Scenario: As a Level 1 SOC Analyst, several suspicious emails have been forwarded from other coworkers. Obtain details from each email to implement the appropriate rules to prevent colleagues from receiving additional spam/phishing emails.

Link: https://app.any.run/tasks/82d8adc9-38a0-4f0e-a160-48a5e09a6e83

What is this analysis classified as?

malicious activity

What is the name of the Excel file?

CBJ200620039539.xlsx

What is the SHA 256 hash for the file?

5f94a66e0ce78d17afc2dd27fc17b44b3ffc13ac5f42d3ad6a5dcfb36715f3eb

What domains are listed as malicious? Defang the URLs & submit answers in alphabetical order. (answer: URL1,URL2,URL3)

biz9holdings[.]com,findresults[.]site,ww38[.]findresults[.]site

What IP addresses are listed as malicious? Defang the IP addresses & submit answers from lowest to highest. (answer: IP1,IP2,IP3)

103[.]224[.]182[.]251,75[.]2[.]11[.]242,204[.]11[.]56[.]48

What vulnerability does this malicious attachment attempt to exploit?

cve-2017-11882

Conclusion

Other tools not covered:

• https://mxtoolbox.com/
• https://phishtank.com/?
• https://www.spamhaus.org/