infosecwriteups.com Open in urlscan Pro
162.159.152.4  Public Scan

Form analysis
0 forms found in the DOM

Text Content

Open in app

Sign up

Sign In

Write


Sign up

Sign In


Published in

InfoSec Write-ups

Fallen sky
Follow

Dec 8

·
4 min read
·

Listen



Save







EMAIL ANALYSIS : AVOID PHISHING ATTACKS


THM ADVENT OF CYBER- DAY6 WRAPPED 👽

In this article , we’ll see how to analyze emails and look at various parts an
email consists of.

email analysis is the process of extracting email header information to expose
the email file details. The email header is the protagonist here and provides
enough info to decide to filter/quarantine/deliver the particular email message.

There are two main concepts in email analysis:

 1. Security issues : suspicious/abnormal/malicious patterns in emails.
 2. Performance issues : delivery and delay issues.

we’ll be focusing on security issues in this article.

Phishing and social engineering help malicious users to inject bad code on the
victim’s machine or withdraw personal information/credentials from the victim.

In spite of having various tools and technologies, most of the companies prefer
manual analysis when there is no budget for automated solutions, also an
in-depth analysis of emails requires an isolated environment.

Let’s understand the structure of an email header :

 1.  From : sender’s address
 2.  To : receiver’s address (including CC and BCC)
 3.  Date: Timestamp, when email was sent
 4.  Subject
 5.  Return path : reply-To
 6.  Domain key and DKIM signatures
 7.  SPF : Server that was used to send the email. compare servers with actual
     domain.
 8.  Message-ID : Unique ID of the email
 9.  MIME-Version : “non-text” contents and attachments
 10. X-Headers
 11. X-received : mail servers that the mail went through
 12. X-span status : spam score of email
 13. X-mailer : email client name

A simple analysis must contain the answer to the following questions :-

q- Do the “From”, “To”, and “CC” fields contain valid addresses? invalid
addresses is a red flag.

q-Do the “From” and “To” fields are the same? red flag if same.

q-Do the “From” and “Return-Path” fields are the same? Different values is a red
flag

q-Was the email sent from the correct(official) server?

q-Does the “Message-ID” field exist, and is it valid? empty and malformed values
are red flags.

q-Do the hyperlinks redirect to suspicious/abnormal sites? Suspicious links and
redirections are red flags.

q-Do the attachments consist of or contain malware? use sandboxes.

Now, What’s sandboxes? A sandbox is an isolated testing environment that enables
users to run programs or open files without affecting the application, system or
platform on which they run. Software developers use sandboxes to test new
programming code.

cool. Then we’ll need an email header parser tool or configure a text editor to
highlight and spot email header’s details.

You can also do this on gmail. Just open the email you want to analyze and then
click on show original:


Download this as .eml and then use text editor.

Let’s do this in VS CODE. Get the extension from the link below:


SMTP HEADERS - VISUAL STUDIO MARKETPLACE


EXTENSION FOR VISUAL STUDIO CODE - HIGHLIGHTING FOR SMTP HEADERS.

marketplace.visualstudio.com



and then open the .eml file in VSCODE. You can then see all possible fields in
the header section of the email.

Now let’s take a look at some tools to have a clear view of what’s happening
here.

emlAnalyzer is one such tool. The emlAnalyzer is a tool designed to parse email
headers for a better view and analysis process.

You may get it from here : https://github.com/wahlflo/eml_analyzer.



Apart from this one can use some OSINT tools to check email reputation.

VISIT SITE : https://emailrep.io/ for the same.

Email analyst toolbox :

 1. VirusTotal : cloud based sandbox environment.
 2. InQuest : network and file analysis
 3. IPinfo.io
 4. Talos Reputation
 5. Urlscan.io
 6. Browserling : browser sandbox
 7. Wannabrowser : browser sandbox

For file based reputation check, one should compute the value of the file using
sha256sum tool to calculate file’s hash value.



> Hash based file reputation analysis : go to
> https://www.virustotal.com/gui/home/upload

click on the search icon and paste the hash value and then analyze the details.

After that continue reputation checks on InQuest.

> https://labs.inquest.net/

Now visit the tool website and use the INDICATOR LOOKUP option to conduct
hash-based analysis.


imgsrc: https://tryhackme.com/room/adventofcyber4

This completes the basic email analysis procedure. All you have to do now is
create a report of findings and inform your manager about what’s wrong.




FROM INFOSEC WRITEUPS: A LOT IS COMING UP IN THE INFOSEC EVERY DAY THAT IT’S
HARD TO KEEP UP WITH. JOIN OUR WEEKLY NEWSLETTER TO GET ALL THE LATEST INFOSEC
TRENDS IN THE FORM OF 5 ARTICLES, 4 THREADS, 3 VIDEOS, 2 GITHUB REPOS AND TOOLS,
AND 1 JOB ALERT FOR FREE!




1





1

1





SIGN UP FOR INFOSEC WRITEUPS


BY INFOSEC WRITE-UPS

Newsletter from Infosec Writeups Take a look.

By signing up, you will create a Medium account if you don’t already have one.
Review our Privacy Policy for more information about our privacy practices.

Get this newsletter


MORE FROM INFOSEC WRITE-UPS

Follow

A collection of write-ups from the best hackers in the world on topics ranging
from bug bounties and CTFs to vulnhub machines, hardware challenges and real
life encounters. Register for the much-awaited virtual cybersecurity conference
#IWCON2022: https://iwcon.live/.

LeoX

·6 days ago


HACKING INTO WI-FI CAMERA TP-LINK TAPO C200 (CVE-2021–4045)

One day during the regular daily reading of vulnerability databases and I came
across of one interesting vulnerability (CVE-2021–4045) for Wi-Fi camera which I
own. I bought this camera long time ago for monitoring of my baby while
sleeping. This camera was laying in a closet for a long time…

Hacking

3 min read



Hacking

3 min read




--------------------------------------------------------------------------------

Share your ideas with millions of readers.

Write on Medium

--------------------------------------------------------------------------------

Stefan P. Bargan

·6 days ago

Member-only


TRYHACKME ADVENT OF CYBER 2022 [DAY 7] MALDOCS ROASTING ON AN OPEN FIRE— NO
ANSWERS :P

Day 7 Learning Objectives: What is CyberChef What are the capabilities of
CyberChef How to leverage CyberChef to analyze a malicious document How to
deobfuscate, filter and parse the data Day 7 Question 1: We first need to launch
the AttackBox to find that out. “An offline version of CyberChef is bookmarked…

Tryhackme

3 min read



Tryhackme

3 min read




--------------------------------------------------------------------------------

Karthikeyan Nagaraj

·6 days ago


ADVENT OF CYBER 2022 [DAY 7]-CYBER CHEF MALDOCS ROASTING ON AN OPEN FIRE WRITEUP
BY KARTHIKEYAN NAGARAJ

Advent of Cyber 4 2022 [Day 7] Cyber Chef Maldocs roasting on an open fire —
task 12 Answers — Let’s Transfer the Files from TryHackMe Machine to Our Machine
for Better Investigation!!

Advent Of Cyber 2022

3 min read



Advent Of Cyber 2022

3 min read




--------------------------------------------------------------------------------

Bhavesh Harmalkar

·Dec 7


TRYHACKME CMESS CTF

Can you root this Gila CMS box? — Room found here :
https://tryhackme.com/room/cmess In this machine, we have two flags stored in
the user.txt and root.txt file. Start Your Machine ………

Tryhackme

6 min read



Tryhackme

6 min read




--------------------------------------------------------------------------------

Stefan P. Bargan

·Dec 6

Member-only


TRYHACKME ADVENT OF CYBER 2022 [DAY 6] IT’S BEGINNING TO LOOK A LOT LIKE
PHISHING — NO ANSWERS :P

Day 6 Learning Objectives: Learn what email analysis is and why it still
matters. Learn the email header sections. Learn the essential questions to ask
in email analysis. Learn how to use email header sections to evaluate an email.
Learn to use additional tools to discover email attachments and conduct…

Tryhackme

4 min read



Tryhackme

4 min read




--------------------------------------------------------------------------------

Read more from InfoSec Write-ups


RECOMMENDED FROM MEDIUM

Multiplier

UNICRYPT LIQUIDITY LOCKED



Arly Utley

{UPDATE} GROW THE KINGDOM HACK FREE RESOURCES GENERATOR



Paul Schmitzer

in

Particl News

GUIDE: HOW TO GENERATE YOUR PARTICL WALLET



Sajjad Arshad

UNDERSTANDING AND MITIGATING THE SECURITY RISKS OF CONTENT INCLUSION IN WEB
BROWSERS



GoShards

UNDERSTANDING NFTS: NFTS CHANGE THE CRYPTO MODEL BY MAKING EACH TOKEN
ONE-OF-A-KIND AND…



Claudio Proietti

PRIVNOTE’S EVIL TWIN



Surya Dev Singh

BOUNTY HACKER [TRYHACKME]



Trulioo

in

The RegTech Hub

CORPORATE TRANSPARENCY ACT — A NEW ERA IN U.S. BENEFICIAL OWNERSHIP DISCLOSURE



AboutHelpTermsPrivacy

--------------------------------------------------------------------------------


GET THE MEDIUM APP




FALLEN SKY

8 Followers

Student | Full stack web developer and designer | Tech Enthusiast | Python
developer | prioritizing cyber security .

Follow



MORE FROM MEDIUM

Graham Zemel

in

The Gray Area

THE TOP 8 CYBERSECURITY RESOURCES FOR PROFESSIONALS IN 2022



Graham Zemel

in

The Gray Area

BUG BOUNTY HUNTING 101 — REMOTE CODE EXECUTION (RCE)



Pentester Academy

in

Pentester Academy Blog

LAB WALKTHROUGH — EXPLOITING SPRING4SHELL (CVE-2022–22965)



Graham Zemel

in

The Gray Area

THE TOP 8 BUG HUNTING TOOLS FOR P1 BUG BOUNTIES



Help

Status

Writers

Blog

Careers

Privacy

Terms

About

Text to speech