Phishing Analysis

Wednesday, August 7, 2024 8:43 PM

There are 3 specific protocols involved to facilitate the outgoing and incoming email messages, and they are briefly listed
below.
• SMTP (Simple Mail Transfer Protocol) - It is utilized to handle the sending of emails. 465
• POP3 (Post Office Protocol) - Is responsible transferring email between a client and a mail server. 993
• IMAP (Internet Message Access Protocol) - Is responsible transferring email between a client and a mail 995
• server.
You should have noticed that both POP3 and IMAP have the same definition. But there are differences between the
two.

POP3
• Emails are downloaded and stored on a single device.
• Sent messages are stored on the single device from which the email was sent.
• Emails can only be accessed from the single device the emails were downloaded to.
• If you want to keep messages on the server, make sure the setting "Keep email on server" is enabled, or all
messages are deleted from the server once downloaded to the single device's app or software.
IMAP
• Emails are stored on the server and can be downloaded to multiple devices.
• Sent messages are stored on the server.
• Messages can be synced and accessed across multiple devices.
Now let's talk about how email travels from the sender to the recipient.
To best illustrate this, see the oversimplified image below:

SOC LvL.1 Page 1

Below is an explanation of each numbered point from the above diagram:
1. Alexa composes an email to Billy ([email protected]) in her favorite email client. After she's done, she hits the
send button.
2. The SMTP server needs to determine where to send Alexa's email. It queries DNS for information associated with
johndoe.com.
3. The DNS server obtains the information johndoe.com and sends that information to the SMTP server.
4. The SMTP server sends Alexa's email across the Internet to Billy's mailbox at johndoe.com.
5. In this stage, Alexa's email passes through various SMTP servers and is finally relayed to the destination SMTP
server.
6. Alexa's email finally reached the destination SMTP server.
7. Alexa's email is forwarded and is now sitting in the local POP3/IMAP server waiting for Billy.
8. Billy logs into his email client, which queries the local POP3/IMAP server for new emails in his mailbox.
9. Alexa's email is copied (IMAP) or downloaded (POP3) to Billy's email client.
Lastly, each protocol has its associated default ports and recommended ports. For example, SMTP is port 25.

What port is classified as Secure Transport for SMTP? ---- 465

SOC LvL.1 Page 2

What port is classified as Secure Transport for SMTP? ---- 465
What port is classified as Secure Transport for IMAP? ---- 993
What port is classified as Secure Transport for POP3? ---- 995

How to analyze an email header

CAUTION:
It is important to know that when reading an email header every line can be forged, so only the Received: lines that are
created by your service or computer should be completely trusted.
From
• This displays who the message is from, however, this can be easily forged and can be the least reliable.
Subject
• This is what the sender placed as a topic of the email content.
Date
• This shows the date and time the email message was composed.
To
• This shows to whom the message was addressed, but may not contain the recipient's address.
Return-Path
• The email address for return mail. This is the same as "Reply-To:".
Envelope-To
• This header shows that this email was delivered to the mailbox of a subscriber whose email address is
[email protected].
Delivery Date
• This shows the date and time at which the email was received by your (mt) service or email client.
Received
• The received is the most important part of the email header and is usually the most reliable. They form a list of all
the servers/computers through which the message traveled in order to reach you.
The received lines are best read from bottom to top. That is, the first "Received:" line is your own system or mail
server. The last "Received:" line is where the mail originated. Each mail system has their own style of "Received:"
line. A "Received:" line typically identifies the machine that received the mail and the machine from which the
mail was received.
Dkim-Signature & Domainkey-Signature
• These are related to domain keys which are currently not supported by (mt) Media Temple services. You can learn
more about these by visiting: http://en.wikipedia.org/wiki/DomainKeys.
Message-id
• A unique string assigned by the mail system when the message is first created. These can easily be forged.
Mime-Version
• Multipurpose Internet Mail Extensions (MIME) is an Internet standard that extends the format of email. Please see
http://en.wikipedia.org/wiki/MIME for more details.
Content-Type
• Generally, this will tell you the format of the message, such as html or plaintext.
X-Spam-Status
• Displays a spam score created by your service or mail client.
X-Spam-Level
• Displays a spam score usually created by your service or mail client.
Message Body
• This is the actual content of the email itself, written by the sender.

Phishing Analysis Methodology :

SOC LvL.1 Page 3

 a. Initial triage
b. Header and sender Examination
c. Content Examination
d. Web and Url examination
e. Attachment examination
f. Contextual examination ---current incidents
g. Defense Measures
h. Documentation and Reporting

Finding the Original Sender

The easiest way for finding the original sender is by looking for the X-Originating-IP header. This header is important
since it tells you the IP address of the computer that had sent the email. If you cannot find the X-Originating-IP header,
then you will have to sift through the Received headers to find the sender's IP address. In the example above, the
originating IP Address is 10.140.188.3.
Once the email sender's IP address is found, you can search for it at http://www.arin.net/. You should now be given
results letting you know to which ISP (Internet Service Provider) or webhost the IP address belongs. Now, if you are
tracking a spam email, you can send a complaint to the owner of the originating IP address. Be sure to include all the
headers of the email when filing a complaint.

Different types of malicious emails can be classified as one of the following:

• Spam - unsolicited junk emails sent out in bulk to a large number of recipients. The more malicious variant of
Spam is known as MalSpam.
• Phishing - emails sent to a target(s) purporting to be from a trusted entity to lure individuals into providing
sensitive information.
• Spear phishing - takes phishing a step further by targeting a specific individual(s) or organization seeking sensitive
information.
• Whaling - is similar to spear phishing, but it's targeted specifically to C-Level high-position individuals (CEO, CFO,
etc.), and the objective is the same.
• Smishing - takes phishing to mobile devices by targeting mobile users with specially crafted text messages.
• Vishing - is similar to smishing, but instead of using text messages for the social engineering attack, the attacks are
based on voice calls.

characteristics phishing emails have in common:

• The sender email name/address will masquerade as a trusted entity (email spoofing)
• The email subject line and/or body (text) is written with a sense of urgency or uses certain keywords such as
Invoice, Suspended, etc.
• The email body (HTML) is designed to match a trusting entity (such as Amazon)
• The email body (HTML) is poorly formatted or written (contrary from the previous point)
• The email body uses generic content, such as Dear Sir/Madam.
• Hyperlinks (oftentimes uses URL shortening services to hide its true origin)
• A malicious attachment posing as a legitimate document

Reminder: When dealing with hyperlinks and attachments, you need to be careful not to accidentally click on the
hyperlink or the attachment.
Hyperlinks and IP addresses should be 'defanged'. Defanging is a way of making the URL/domain or email address
unclickable to avoid accidental clicks, which may result in a serious security breach. It replaces special characters, like
"@" in the email or "." in the URL, with different characters. For example, a highly suspicious domain,
http://www.suspiciousdomain.com, will be changed to hxxp[://]www[.]suspiciousdomain[.]com before forwarding it to
the SOC team for detection.

SOC LvL.1 Page 4

 what BEC (Business Email Compromise) means.
A BEC is when an adversary gains control of an internal employee's account and then uses the compromised email
account to convince other internal employees to perform unauthorized or fraudulent actions.

TOOLS :

checklist of the pertinent information an analyst (you) is to collect from the email header:
• Sender email address
• Sender IP address
• Reverse lookup of the sender IP address
• Email subject line
• Recipient email address (this information might be in the CC/BCC field)
• Reply-to email address (if any)
• Date/time
• email body and attachment(s)

Email header analysis

• Messageheader: https://toolbox.googleapps.com/apps/messageheader/analyzeheader

• Message Header Analyzer: https://mha.azurewebsites.net/

mailheader.org.

URLScan.io: https://urlscan.io/

Email Body Analysis

URL Extractor: https://www.convertcsv.com/url-extractor.htm

Malware Sandbox :

Hybrid sandbox

Virustotal

Any.run

https://www.joesecurity.org/

Phishtool

• https://mxtoolbox.com/
• https://phishtank.com/?
• https://www.spamhaus.org/

SOC LvL.1 Page 5

Phishing Prevention :
There are various actions a defender can take to help protect the users from falling victim to a malicious email.
Some examples of these actions are listed below:
• Email Security (SPF, DKIM, DMARC)
• SPAM Filters (flags or blocks incoming emails based on reputation)
• Email Labels (alert users that an incoming email is from an outside source)
• Email Address/Domain/URL Blocking (based on reputation or explicit denylist)
• Attachment Blocking (based on the extension of the attachment)
• Attachment Sandboxing (detonating email attachments in a sandbox environment to detect malicious activity)
• Security Awareness Training (internal phishing campaigns)
Per MITRE ATT&CK Framework, Phishing for Information is described as an attempt to trick targets into divulging
information, and contains three sub-techniques.
Visit the above link, and look at the Mitigation section under Software Configuration.

SPF (Sender Policy Framework)

"Sender Policy Framework (SPF) is used to authenticate the sender of an email. With an SPF record in place, Internet
Service Providers can verify that a mail server is authorized to send email for a specific domain. An SPF record is a DNS
TXT record containing a list of the IP addresses that are allowed to send email on behalf of your domain."

How does a basic SPF record look like?

v=spf1 ip4:127.0.0.1 include:_spf.google.com -all

SOC LvL.1 Page 6

v=spf1 ip4:127.0.0.1 include:_spf.google.com -all

An explanation for the above record:

• v=spf1 -> This is the start of the SPF record
• ip4:127.0.0.1 -> This specifies which IP (in this case version IP4 & not IP6) can send mail
• include:_spf.google.com -> This specifies which domain can send mail
• -all -> non-authorized emails will be rejected

Let's look at Twitter's SPF record using dmarcian's SPF Surveyor tool.

DKIM ( DomainKeys Identified Mail )

"DKIM stands for DomainKeys Identified Mail and is used for the authentication of an email that’s being sent. Like SPF,
DKIM is an open standard for email authentication that is used for DMARC alignment. A DKIM record exists in the DNS,
but it is a bit more complicated than SPF. DKIM’s advantage is that it can survive forwarding, which makes it superior to
SPF and a foundation for securing your email."

What is DKIM? DomainKeys Identified Mail

SOC LvL.1 Page 7

DMARC (Domain-Based Message Authentication, Reporting, and Conformance)

"DMARC, (Domain-based Message Authentication Reporting, & Conformance) an open source standard, uses a concept
called alignment to tie the result of two other open source standards, SPF (a published list of servers that are authorized
to send email on behalf of a domain) and DKIM (a tamper-evident domain seal associated with a piece of email), to the
content of an email. If not already deployed, putting a DMARC record into place for your domain will give you feedback
that will allow you to troubleshoot your SPF and DKIM configurations if needed."

Let's use the Domain Health Checker from dmarcian.com and check the DMARC status of microsoft.com.

And the results are...

SOC LvL.1 Page 8

And the results are...

S/MIME (Secure/Multipurpose Internet Mail Extensions)

"S/MIME (Secure/Multipurpose internet Mail Extensions) is a widely accepted protocol for sending digitally signed and
encrypted messages."

the 2 main ingredients for S/MIME are:

1. Digital Signatures
2. Encryption

SOC LvL.1 Page 9

MITRE ATT&CK:
• Techinique 1071 > Sub-Technique 3: https://attack.mitre.org/techniques/T1071/003/
Per MITRE, "Adversaries may communicate using application layer protocols associated with electronic mail delivery to
avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the
results of those commands, will be embedded within the protocol traffic between the client and server."
Several notable groups, such as APT 28, APT 32, and Turla, to name a few, have used this technique.
Recommended mitigation (per MITRE):
"Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary
malware can be used to mitigate activity at the network level."
Detection opportunity (per MITRE):
"Analyze packet contents to detect application layer protocols that do not follow the expected protocol standards
regarding syntax, structure, or any other variable adversaries could leverage to conceal data."

Phishing IR Playbook:
• https://github.com/counteractive/incident-response-plan-template/blob/master/playbooks/playbook-
phishing.md

Email URL analysis :

Search for keywords : http , <a> tag

Goto cyberchef : use Extract URLs ,

defang URL,

TOOLS :
- Email IOC Extractor github

Python3 eioc.py <eml file path>

PhishTank : a database of link signature

URL2PNG : allow us to we url without click on it

Urlscan.io

Virustotal
SOC LvL.1 Page 10
 Virustotal

URLVOID : website reputation

Wannabrowser : for GET , POST request nd see the header info

Urlhaus.abuse.ch :

Google transparency search :

PhishTool :

Joesandbox :

Hybrid sandbox :

References:
https://gchq.github.io/CyberChef/
https://github.com/MalwareCube/Email-IOC-Extractor
https://phishtank.org/
https://www.url2png.com/
https://urlscan.io/
https://www.virustotal.com/gui/home/upload
https://www.urlvoid.com/
https://www.wannabrowser.net/
https://unshorten.it/
https://urlhaus.abuse.ch/
https://transparencyreport.google.com/safe-browsing/search
https://www.joesandbox.com/

Email Attachment Analysis :

Python3 emldump.py <file>

Python3 emldump.py <file> -s <stream id> -d >output filename

Cisco talos
Virustotal

Dynamic Attachment Analysis :

Process activity
Network connection
File activity

SOC LvL.1 Page 11

 Free only platform :
Hybrid Analysis
Joesandbox basic
Any.run

Static MalDoc analysis :

Oledump.py ||| oletools for linux

(object linking and embedding)

Oledump.py <file>
Oledump.py <file> -s <stream no. >
Oledump.py <file> -s <stream no. > -S
Oledump.py <file> -s <stream no. > --vbadecompresscorrupt

Static PDF analysis :

Check Hash on virustotal

Pdf-parser.py <pdf>
Pdfid.py <file>

Pdf-parser.py <pdf> --object 8 --filter --raw --dump <malfilename>

Automated email analysis :

Phishtool

Reactive Phishing Defense :

1. Containment :
- Determine scope
- Quarantine
- Block sender artifacts (exchange server )
▪ Microsoft exchange online
▪ Aws Workmail
- Block Web artifacts (EDRs)
- Block file artifacts

2. Eradication :
a. Remove malicious emails
i. Content search and eDiscovery
ii. Get-MessageTrackingLog -sender "sendermail" -MessageSubject "Hello"
SOC LvL.1 Page 12
 ii. Get-MessageTrackingLog -sender "sendermail" -MessageSubject "Hello"
iii. Remove malicious files
iv. Abuse form submissions [email protected]
v. Credential changes
vi. Reimaging
3. Recovery :
a. Restore systems

4. Communication :
a. Notify affected users
b. Update stakeholders

5. User Education :
a. End User training

Proactive Phishing Defense :

1. Email Filtering :
a. Email security services like
b. Marking external emails

2. URL scanning and Blocking :

a. Real-time URL inspection
b. Block recently registered domain

3. Attachment Filtering :
a. File extension blocks
b. Attachment Sandboxing

4. Email Authentication Methods :

a. SPF
b. DKIM
c. DMARC

5. User Training :
a. Security awareness Training
b. Phishing simulation Exercises
c. Reporting Function in mail services

SOC LvL.1 Page 13