Post

Email analysis checklists

Posted Updated
By ashizZz 3 min read

I divided this analysis into four pieces to help us better understand the investigation flow.

Email address

Before investigation always drill down the email address further in 3 parts for detailed analysis:

Completed email address

Username

  • Simple google dork for the username search can give us a good lead sometimes for target social media presence if any.

Domain of email address:

  • To check if it is a Parked domain (Typo squatting domain names) or not, domain owner details such as date, time of registration, contact details of owner etc.
  • Domain name dork for more lead.
  • Sub-domain enumeration can be performed.

Header Analysis

Below is a checklist of the pertinent information an analyst is to collect from the email header:

  1. Sender email address
  2. Sender IP address
  3. Reverse lookup of the sender IP address
  4. Email subject line
  5. Recipient email address (this information might be in the CC/BCC field)
  6. Reply-to email address (if any)
  7. Date/time

    Analysis Tools

Headers

  • Relay Information → tells us the path the email took for the sender till it reached the recipient’s mailbox - [ ] Any IPs or Domains detected utilizing this may be checked using the tools such as AbuseIDP, TalosIntelligence and others.

  • Received SPF (authentication system which allows domains to select which mail servers can send mail on their behalf) If this parameter displays as SoftFail or Fail, it might signify a spoofed or suspicious email. However, it can have some false positives since some firms need to maintain their SPF records up to date.

  • DKIM When each email is sent, it is signed using a private key and subsequently validated on the receiving mail server using a public key in DNS. This step validates the integrity of email during transit.

  • Return Path Mail servers use it to determine where to send an email if the email bounces or is banned and is not allowed.

  • Reply To This field should always genuinely be the same as the From address. If it isn’t, the attacker has probably updated the field to attempt and make the appear to look more authentic.

  • X-Distribution If this box displays as Bulk, it is most probable that the email is either Spam or malicious.

  • X-Spam
    • X-Spam-Flag: YES: indicates that the message is considered to be spam.
    • X-Spam-Flag: NO: indicates that the message is not considered to be spam.
    • X-Spam-Score: [numeric value]: indicates the spam score assigned to the message by the spam filter.
    • X-Spam-Status: [string value]: indicates the status of the message, such as “pass” or “fail.”

      Email body

      Below is a checklist of the artifacts an analyst needs to collect from the email body:

      1. Any URL links (if an URL shortened service was used, then we’ll need to obtain the real URL link)
      2. The name of the attachment
      3. The hash value of the attachment (hash type MD5 or SHA256, preferably the latter)
  • Extract URLs
  • URL analysis to be made using burp suite to check for web response code. Also, this will help us find drive-by-download of malicious files / packages (if any). On which further basic or advance malware analysis can be performed on suspicious files or packages.
  • URL re-directions can be analyzed.
  • Content in email (if it is a mass campaign), general search on Google, waybackmachine, cache site check.
  • Images / html I-frames in email body to be analyzed via view source code option for further lead.

    Artifacts Reputation Tools

  • PhisTank
  • IPinfo.io
  • URLScan.io

Attachment analysis (Basic malware analysis)

Further more analysis

Additional Resources:

https://www.knowbe4.com/phishing

https://www.itgovernance.co.uk/blog/5-ways-to-detect-a-phishing-email

https://cheapsslsecurity.com/blog/10-phishing-email-examples-you-need-to-see/

https://phishingquiz.withgoogle.com/

email, Phishing, analysis
This post is licensed under CC BY 4.0 by the author.