Email analysis : avoid phishing attacks
THM advent of cyber- day6 wrapped 👽
In this article , we’ll see how to analyze emails and look at various parts an email consists of.
email analysis is the process of extracting email header information to expose the email file details. The email header is the protagonist here and provides enough info to decide to filter/quarantine/deliver the particular email message.
There are two main concepts in email analysis:
- Security issues : suspicious/abnormal/malicious patterns in emails.
- Performance issues : delivery and delay issues.
we’ll be focusing on security issues in this article.
Phishing and social engineering help malicious users to inject bad code on the victim’s machine or withdraw personal information/credentials from the victim.
In spite of having various tools and technologies, most of the companies prefer manual analysis when there is no budget for automated solutions, also an in-depth analysis of emails requires an isolated environment.
Let’s understand the structure of an email header :
- From : sender’s address
- To : receiver’s address (including CC and BCC)
- Date: Timestamp, when email was sent
- Subject
- Return path : reply-To
- Domain key and DKIM signatures
- SPF : Server that was used to send the email. compare servers with actual domain.
- Message-ID : Unique ID of the email
- MIME-Version : “non-text” contents and attachments
- X-Headers
- X-received : mail servers that the mail went through
- X-span status : spam score of email
- X-mailer : email client name
A simple analysis must contain the answer to the following questions :-
q- Do the “From”, “To”, and “CC” fields contain valid addresses? invalid addresses is a red flag.
q-Do the “From” and “To” fields are the same? red flag if same.
q-Do the “From” and “Return-Path” fields are the same? Different values is a red flag
q-Was the email sent from the correct(official) server?
q-Does the “Message-ID” field exist, and is it valid? empty and malformed values are red flags.
q-Do the hyperlinks redirect to suspicious/abnormal sites? Suspicious links and redirections are red flags.
q-Do the attachments consist of or contain malware? use sandboxes.
Now, What’s sandboxes? A sandbox is an isolated testing environment that enables users to run programs or open files without affecting the application, system or platform on which they run. Software developers use sandboxes to test new programming code.
cool. Then we’ll need an email header parser tool or configure a text editor to highlight and spot email header’s details.
You can also do this on gmail. Just open the email you want to analyze and then click on show original:
Let’s do this in VS CODE. Get the extension from the link below:
and then open the .eml file in VSCODE. You can then see all possible fields in the header section of the email.
Now let’s take a look at some tools to have a clear view of what’s happening here.
emlAnalyzer is one such tool. The emlAnalyzer is a tool designed to parse email headers for a better view and analysis process.
You may get it from here : https://github.com/wahlflo/eml_analyzer.
Apart from this one can use some OSINT tools to check email reputation.
VISIT SITE : https://emailrep.io/ for the same.
Email analyst toolbox :
- VirusTotal : cloud based sandbox environment.
- InQuest : network and file analysis
- IPinfo.io
- Talos Reputation
- Urlscan.io
- Browserling : browser sandbox
- Wannabrowser : browser sandbox
For file based reputation check, one should compute the value of the file using sha256sum tool to calculate file’s hash value.
Hash based file reputation analysis : go to https://www.virustotal.com/gui/home/upload
click on the search icon and paste the hash value and then analyze the details.
After that continue reputation checks on InQuest.
Now visit the tool website and use the INDICATOR LOOKUP option to conduct hash-based analysis.
This completes the basic email analysis procedure. All you have to do now is create a report of findings and inform your manager about what’s wrong.
