search
Page cover
githubEdit

fish-bonesPhishing Email Investigation

Systematic analysis of suspicious emails to identify phishing campaigns, extract indicators of compromise (IoCs), and classify threats.

chevron-rightEmail Header Analysishashtag

Understanding email headers is crucial for tracing the origin and authenticity of messages

circle-info

Identify the Originating IP

X-Originating-IP, X-Sender-IP, or first Received header reveals the true source of the email, which may differ from the claimed sender.

circle-info

Trace Email Path

Received: headers shows the email's journey through mail servers, helps identify relay points and potential spoofing

  • Mail server hostnames

  • IP addresses of relay servers

  • Timestamps of each hop

grep -i "^Received:" email.eml
circle-info

Analyze Sender Information

  • From address: Who the email claims to be from

  • Reply-To address: Where responses will actually go (often different in phishing)

  • Return-Path: Bounce address for undeliverable emails

triangle-exclamation

Red flags

  • Mismatched From/Reply-To domains

  • Suspicious or free email domains for business emails

  • Typosquatting domains

chevron-rightEmail Authentication Analysishashtag
circle-info

SPF (Sender Policy Framework)

  • Verifies the sending server is authorized for the domain.

grep -i "received-spf\|spf=" email.eml
circle-info

DKIM (DomainKeys Identified Mail)

Cryptographic signature verifying email hasn't been tampered with.

grep -i "dkim" email.eml
circle-info

DMARC (Domain-based Message Authentication)

  • Combines SPF and DKIM with policy enforcement.

grep -i "dmarc" email.eml
circle-info

The Authentication-Results: header usually contains all three in one place, making it the easiest to check:

grep -A 5 -i "Authentication-Results:" email.eml | grep -oP "(spf|dkim|dmarc)=\w+"
circle-exclamation

Passing authentication doesn't guarantee legitimacy! Attackers can set up proper authentication for their malicious domains.

chevron-rightEmail Content Analysishashtag
circle-info

Subject Line & Body Analysis

  • Red flags:

    • Urgent language ("URGENT", "IMMEDIATE ACTION REQUIRED")

    • Threats (account suspension, legal action)

    • Time pressure ("within 24 hours")

    • Generic greetings ("Dear Customer" vs. your actual name)

    • Poor grammar/spelling

circle-info

URL Analysis

  • Extract all URLs from the email body

  • Check for:

    • Domain inconsistencies (claimed company vs. actual domain)

    • URL shorteners (bit.ly, tinyurl)

    • Typosquatting

    • Suspicious paths with random characters

    • HTTPS vs HTTP

grep -oP 'https?://[^\s<>"]+|mailto:[^\s<>"]+' email.eml
circle-info

Brand Impersonation Detection

  • Identify company/organization being impersonated

  • Compare against legitimate communications

  • Check for logo inconsistencies or missing branding

chevron-rightAttachment Analysishashtag
circle-info

Identify Attachments

  • Location in .eml files: Look for Content-Type: application/* sections

  • Encoding: Usually base64 encoded

  • Extract: Decode base64 to get actual file

circle-info

File Metadata Analysis

  • Filename: Check for suspicious extensions or double extensions

    • .pdf.exe, .doc.bat, .invoice.js

  • MIME type: Verify matches the extension

  • File size: Unusually small/large for claimed type

circle-info

Generate File Hashes

Extract attachment
base64 -d attachment.b64 > file.zip
md5sum file.zip
sha1sum file.zip
sha256sum file.zip
circle-info

Inspect Archive Contents

  • Executable extensions: .exe, .bat, .cmd, .ps1, .vbs, .js

  • Hidden file extensions

  • Macros in documents: .docm, .xlsm, .pptm

chevron-rightThreat Classification & Intelligencehashtag
circle-info

MITRE ATT&CK Mapping

Common Phishing Techniques:
T1566.001 - Phishing: Spearphishing Attachment
T1566.002 - Phishing: Spearphishing Link
T1204.001 - User Execution: Malicious Link
T1204.002 - User Execution: Malicious File
T1036 - Masquerading (file/extension spoofing)
T1027 - Obfuscated Files or Information
T1598 - Phishing for Information
circle-info

Indicators of Compromise (IOCs)

  • IP addresses

  • Email addresses

  • Domains

  • File hashes

  • File names

  • URLs

  • Subject lines / patterns

circle-info

Threat Actor Attribution

  • Search IOCs in threat intelligence platforms

  • Look for known campaigns

  • Check for TTPs matching known groups

chevron-rightTools & Resourceshashtag
circle-info

Email Analysis Tools

MXToolbox Header Analyzer
https://mxtoolbox.com/EmailHeaders.aspx
Google Admin Toolbox Messageheader:
https://toolbox.googleapps.com/apps/messageheader/
Email Header Analyzer: 
https://mha.azurewebsites.net/
circle-info

URL/Domain Analysis

https://www.virustotal.com
https://urlscan.io
https://talosintelligence.com/
circle-info

File Analysis

https://www.hybrid-analysis.com/
https://www.joesandbox.com/
https://bazaar.abuse.ch/
circle-info

Threat Intelligence

https://attack.mitre.org/
https://otx.alienvault.com/
https://threatfox.abuse.ch/
PreviousData Exfiltration AnalysisNextLog Analysis

Last updated