Task 11, Day 06, Email Analysis It’s beginning to look a lot like phishing
Two main concerns in email analysis:
Security issues - Identifying suspicious/abnormal/malicious patterns in emails
Performance issues - Identifying delivery and delay issues
Basic Header Structure
From - Sender address
To - Receiver address (includes CC/BCC)
Date - Sent timestamp
Subject - Subject line
Return path - Reply-to address
Domain Key and DKIM Signatures - Email sigs provided by email services to identify and authenticate emails
SPF - Shows server that sent the email
Message-ID - Unique ID of email
MIME-Version - Used MIME version. Helps in understanding “non-text” contents and attachments
X-Headers - receiver mail providers add to field. Usually experimental
X-Received - Mail servers email passed through
X-Spam Status - Spam score of email
X-Mailer - Email client name
Basic Process
From, To, CC fields have valid addresses? - If no, red flag
From and To fields same? - Same sender and recipient = red flag
From and Return-Path same? - Different values are red flag
Email sent from correct server? - should come from official servers of sender
Message-ID field exist and valid? - Empty/malformed = red flag
Hyperlinks redirect to suspicious/abnormal sites? - Suspicous links and redirects are a paddling
Attachments consist or contain malware - you better believe that’s a paddling. Look for file hashes marked as suspicios/malicious by sandboxes
Also need email header parser tool, can use Sublime Text with some config. Sublime allows viewinf email files without opening or executing any linked attachments/commands. Automatically recognizes .eml and .msg files. If .txt file, can change “plain text” at bottom right to “email header”.
Can also use emlAnalyzer to view body and analyse attachments. Can show headers, body, embedded URLs, plaintext and html data, and atytachments. Syntax: emlAnalyzer -i /path-to-file/filename --header [show header] -u [show URLs] --text [show cleartext data] --extract-all [extract all attachments]
Path can be full or relative.
Can use OSINT sources for reputation check on sender and reply-to addresses (i.e. https://emailrep.io)
Can check out suspicious URLs and attachments at sites like:
VirusTotal - cloud-based detection toolset and sandbox environment
InQuest - network and file analysis through threat analytics
IPinfo.io - detailed IP address info focusing on geolocation and ISP
Talos Reputation - Cisco Talos IP reputation check service
Urlscan.io - analyzes websites by simulating regular user behavior
Browserling - browser sandbox for testing suspicious/malicious links
Wannabrowser - browser sandbox for testing suspicious/malicious links
Body/attachment analysis - can use sha256sum tool/utility to calculate a file’s hash, then check on VirusTotal and InQuest. On VirusTotal check the Behavior tab. On InQuest check Indicator Lookup.