Analyzing Phishing Emails - Nico's Knowledge Base

# Introduction to Phishing Phishing attacks aim to steal users personal information by tricking them into clicking on links or running malicious files. Fall into the Delivery phase of the [[The Cyber Kill Chain]] model. The human factor is the weakest link in the chain. # Information Gathering ## Spoofing Emails don't have true authentication mechanisms, attackers can send emails in name of someone else via spoofing. SPF, DKIM, and DMARC protocols can be used to prevent email spoofing. - Sender Policy Framework - DomainKeys Identified Mail To verify, ID the SMTP address of the mail, then the rest of the records can be obtained via a tool like Mxtoolbox Just because an email is not spoofed, doesn't mean an email is safe. ## Email Traffic Analysis Many parameters are needed to analyze a phishing attack - Sender Address - SMTP IP Address - Domain Base - Subject Harvester on Kali Linux can be used to scrape emails. Personal emails posted on websites provide potential attack vector for attackers # What is an Email Header, and How Do We Read Them? ## What is an Email Header Contains information like sender, recipient and date. Other fields like Return-Path, Reply-To, and Received ## What does the Email Header Do Lets you know who is sending and who is receiving it Helps detect spam emails via header analysis Track an email's route through services that handle emails ## Important Fields **From** The 'From' field in an Internet header shows the name and email address of the sender. **To** This field in the mail header contains the details of the recipient of the email, including their name and email address. Such as CC (carbon copy) and BCC (blind carbon copy) also fall under this category, as they all contain details of your recipients. To find out more about carbon copy and blind carbon copy, see How to use CC and BCC. **Date** This is the timestamp showing when the email was sent. In Gmail, it usually follows the format day dd/mm/yyyy hh:mm:ss So if an email was sent on 16 November 2021 at 4:57:23 pm, it would show up as Wed, 16 Nov 2021 16:57:23. **Subject** The subject is the topic of the email. It summarizes the content of the entire message body. **Return-Path** This email header field is also known as Reply-To. When you reply to an email, the reply is sent to the address specified in the Return-Path field. **Domain Key and DKIM Signatures** Domain Key and Domain Key Identified Mail (DKIM) are email signatures that help email service providers identify and authenticate your emails, similar to SPF signatures. **Message-ID** The Message-ID header is a unique combination of letters and numbers that identifies each email. No two emails will have the same Message ID. **MIME-Version** Multipurpose Internet Mail Extensions (MIME) is an Internet coding standard. It converts non-text content, such as images, videos, and other attachments, into text so that non-text content can be attached to an email and sent via SMTP (Simple Mail Transfer Protocol). **Received** The Received section lists each mail server that an email has passed through before arriving in the recipient's inbox. It's listed in reverse chronological order - the mail server at the top is the last server the email message passed through, and the mail server at the bottom is where the email originated. **X-Spam Status** The X-Spam Status shows you the spam score of an email message. First, it'll highlight if a message is classified as spam. It then shows the spam score of the email and the spam threshold for the email. An email can either meet or exceed an inbox's spam threshold. If it's too spammy and exceeds the threshold, it's automatically classified as spam and sent to the Spam folder. ## How to Access Email Header **Gmail** 1- Open the email in question 2- Click on the 3 dots at the top right "..." 3- Click on the "Download message" button. 4- Open the downloaded file with the extension ".eml" with any notebook application **Outlook** 1- Open the email in question 2- File -> Info -> Properties -> Internet headers # Email Header Analysis was email sent by correct SMTP server are From and Return-path/reply-to the same # Static Analysis HTML can create emails that hide malicious URL behind button or text that seem harmless. If domain name in email is new, likely to be phishing attack Query virustotal for web addresses - be wary of cached addresses Cisco Talos Intelligence has sections to learn reputation of IP addresses - if blacklisted, likely compromised SMTP address can be searched on VirusTotal and AbuseIPDB to find out if the IP address has been involved in malicious activity in the past. # Dynamic Analysis Run websites and files in sandbox environments to see if their interactions are harmful or not. Browserling can quickly check web addresses, but cannot download files, which may interrupt analysis Commonly Used Sandboxes - VMRay - Cuckoo Sandbox - JoeSandbox - AnyRun - Hybrid Analysis(Falcon Sandbox) Also, the fact that there are no URLs and files in the email does not mean that it is not malicious. The attacker may also send the malware as an image to avoid detection by the analysis tools # Additional Techniques - **Using services that offer cloud storage services such as Google and Microsoft** - Attackers attempt to trick users into clicking on Google / Microsoft Drive links that appear to be harmless to trick the user into downloading malicious files. - **Using services that allow the creation of free subdomains, such as Microsoft, WordPress, Blogspot, Wix** - Attackers try to deceive security products and analysts by creating a free subdomain from these services. Since whois information cannot be searched as a subdomain, analysts can be tricked into believing that these addresses have been taken in the past and belong to institutions such as Microsoft, WordPress, and others. - **Form applications** - Various services allow free-form creation, and attackers benefit from this rather than creating a phishing site themselves. As the domain is usually harmless, it can be forwarded to the user without triggering anti-virus software. Google Form is an example of such a service. As the Whois information shows that the domain is Google, the attacker can mislead analysts.