Email analysis checklists
I divided this analysis into four pieces to help us better understand the investigation flow.
Email address
Before investigation always drill down the email address further in 3 parts for detailed analysis:
Completed email address
- To be checked for past data breaches.
- To be checked if it is linked with social media.
Username
- Simple google dork for the username search can give us a good lead sometimes for target social media presence if any.
Domain of email address:
- To check if it is a Parked domain (Typo squatting domain names) or not, domain owner details such as date, time of registration, contact details of owner etc.
- Domain name dork for more lead.
- Sub-domain enumeration can be performed.
Header Analysis
Below is a checklist of the pertinent information an analyst is to collect from the email header:
- Sender email address
- Sender IP address
- Reverse lookup of the sender IP address
- Email subject line
- Recipient email address (this information might be in the CC/BCC field)
- Reply-to email address (if any)
- Date/time
Analysis Tools
Headers
- Relay Information → tells us the path the email took for the sender till it reached the recipient’s mailbox - [ ] Any IPs or Domains detected utilizing this may be checked using the tools such as AbuseIDP, TalosIntelligence and others.
Received SPF (authentication system which allows domains to select which mail servers can send mail on their behalf) → If this parameter displays as SoftFail or Fail, it might signify a spoofed or suspicious email. However, it can have some false positives since some firms need to maintain their SPF records up to date.
DKIM → When each email is sent, it is signed using a private key and subsequently validated on the receiving mail server using a public key in DNS. This step validates the integrity of email during transit.
Return Path → Mail servers use it to determine where to send an email if the email bounces or is banned and is not allowed.
Reply To → This field should always genuinely be the same as the From address. If it isn’t, the attacker has probably updated the field to attempt and make the appear to look more authentic.
X-Distribution → If this box displays as Bulk, it is most probable that the email is either Spam or malicious.
- X-Spam →
- X-Spam-Flag: YES: indicates that the message is considered to be spam.
- X-Spam-Flag: NO: indicates that the message is not considered to be spam.
- X-Spam-Score: [numeric value]: indicates the spam score assigned to the message by the spam filter.
- X-Spam-Status: [string value]: indicates the status of the message, such as “pass” or “fail.”
Email body
Below is a checklist of the artifacts an analyst needs to collect from the email body:
- Any URL links (if an URL shortened service was used, then we’ll need to obtain the real URL link)
- The name of the attachment
- The hash value of the attachment (hash type MD5 or SHA256, preferably the latter)
- Extract URLs
- URL analysis to be made using burp suite to check for web response code. Also, this will help us find drive-by-download of malicious files / packages (if any). On which further basic or advance malware analysis can be performed on suspicious files or packages.
- URL re-directions can be analyzed.
- Content in email (if it is a mass campaign), general search on Google, waybackmachine, cache site check.
- Images / html I-frames in email body to be analyzed via view source code option for further lead.
Artifacts Reputation Tools
- PhisTank
- IPinfo.io
- URLScan.io
Attachment analysis (Basic malware analysis)
- VirusTotal
- Talos File Reputation
- String analysis of obfuscated code.
- Unpack the malicious code for dynamic analysis basis on packer used.
- Offline / Online sandbox result check. - [ ] Browserling
- VMRay
- Cuckoo Sandbox
- AnyRun - [ ] Hybrid analysis - [ ] Joe Sandbox
Additional Resources:
https://www.knowbe4.com/phishing
https://www.itgovernance.co.uk/blog/5-ways-to-detect-a-phishing-email
https://cheapsslsecurity.com/blog/10-phishing-email-examples-you-need-to-see/
https://phishingquiz.withgoogle.com/