Session_Task-11

Phishing Email Analysis and

Incident Report

VENKATASAI PITHANI
BATCH NO:CF-08
 Table of Content

1 Introduction
2 Steps Involved in phishing Email Analysis
3 Email Analysis:
3.1 cisco-email-appliance.log
3.2 google-workspace.log
4 Incident Report for both:
4.1 Cisco log file
4.2 Google log files
5 Conclusion
6 References
7 Screenshots
1. Introduction
Phishing email analysis involves examining suspicious emails to identify
potential phishing attempts, understand their characteristics, and develop
strategies to prevent them from compromising individuals or organizations.
This report provides an in-depth analysis of a phishing email, including header
analysis, content examination, and an incident response report for confirmed
phishing cases.

2. Steps Involved in Phishing Email Analysis

1. Collect the Suspicious Email
o Obtain the raw email, including headers and body content.
o Preserve the email for forensic analysis.
2. Analyze Email Headers
o Extract sender details, IP address, and mail servers.
o Verify SPF, DKIM, and DMARC authentication results.
o Identify anomalies such as spoofed domains or mismatched
sender information.
3. Inspect Email Content
o Check for urgency, grammatical errors, and inconsistencies.
o Identify suspicious links and attachments.
o Look for social engineering tactics used to manipulate the
recipient.
4. Validate URLs and Attachments
o Hover over links to check destination URLs without clicking.
o Use threat intelligence tools to analyze links and attachments.
o Scan attachments in a sandbox environment for potential
malware.
 5. Check Indicators of Compromise (IoCs)
o Cross-check domains, IP addresses, and hashes with cybersecurity
threat databases.
o Look for previous records of malicious activity.
6. Assess Impact and Severity
o Determine the potential consequences of interacting with the
phishing email.
o Evaluate the risk to individual users and organizational
infrastructure.
7. Report and Mitigate the Threat
o Document findings and share with relevant security teams.
o Block malicious senders, URLs, and attachments.
o Educate users on identifying and reporting phishing attempts.

3.1 Email Analysis (Cisco-email-appliance)

Phishing Email Analysis
1. Email Header Analysis
• Sender: [email protected]
• Recipient: [email protected]
• Message ID: <[email protected]>
• Subject: "Urgent Update Required"
• SPF: Fail
• DKIM: Pass
• DMARC: Fail
Findings:
• The SPF failure suggests the sender's domain was not authorized to
send emails from that IP.
 • The DKIM pass indicates that the email signature was verified, but
this alone does not confirm legitimacy.
• The DMARC failure indicates that the email does not align with the
domain’s authentication policy, reinforcing suspicion.
2. Content Examination
• Body: "Please update your account information immediately."
• Attachment: invoice.zip (Potential malware/phishing payload)
• URL: http://malicious-url.com (Likely a credential-harvesting site)
Findings:
• The message uses urgency to manipulate the recipient.
• The attachment (invoice.zip) could contain malware such as a
trojan or ransomware.
• The included URL suggests a possible phishing site designed to
steal credentials.
3. Action Taken
• Email was quarantined due to phishing indicators.

3.2 Email Analysis (Google-workspace.log)

1. Email Metadata
• Sender: [email protected]
• Recipient: [email protected]
• Subject: "Urgent Update Required"
• Message ID: <[email protected]>
Authentication Checks
• SPF: Fail
• DKIM: Pass
• DMARC: Fail
Findings
• The SPF failure indicates that the sender’s IP address was not
authorized to send emails on behalf of example.com.
• The DKIM pass means the email was not altered in transit, but it
does not confirm the sender’s legitimacy.
• The DMARC failure shows that the email did not align with the
domain’s authentication policy, indicating a spoofing attempt.

2. Content Analysis
Email Body
• Message: "Please update your account information immediately."
• Tone: Urgent, social engineering tactic to create panic.
• Red Flags: No personalization, vague instructions.
Attachments & URLs
• Attachment: invoice.zip (Potential malware/phishing payload)
• Malicious URL: http://malicious-url.com (Likely a phishing site)
Findings
• The email urges immediate action, which is a common phishing
tactic.
• The attachment could be malware (e.g., ransomware, trojan).
• The URL might be a credential-harvesting site.

4.1 Incident Report for Cisco-email-appliance

• Incident ID: IR-2024-07-19-001
• Date & Time: 2024-07-19 10:30:08 UTC
• Affected User(s): [email protected]
• Threat Type: Phishing Attempt
• Source: [email protected]
 a. Indicators of Compromise (IoCs):
• Malicious URL: http://malicious-url.com
• Suspicious Attachment: invoice.zip
• Failed SPF & DMARC authentication
b. Risk Assessment:
• Potential Impact: Credential theft, malware infection
• Likelihood: High
4 Mitigation & Response Actions:
• Block Sender: [email protected] on email gateway.
• Blacklist URL: http://malicious-url.com on network security
devices.
• Analyze Attachment: invoice.zip in a sandbox environment.
• User Awareness: Notify [email protected] and educate on
phishing awareness.
• Monitor for Compromise: Check for any unauthorized access
attempts.
• Report Incident: Share details with security teams and
authorities if necessary.

4.2 Incident Report for Google Log file

• Incident ID: IR-2024-07-19-002
• Date & Time: 2024-07-19 10:25:13 UTC
• Affected User(s): [email protected]
• Threat Type: Phishing Attempt
• Source: [email protected]
a. Indicators of Compromise (IoCs)
• Malicious URL: http://malicious-url.com
 • Suspicious Attachment: invoice.zip
• Failed SPF & DMARC authentication
b. Risk Assessment
• Potential Impact: Credential theft, malware infection
• Likelihood: High
c. Mitigation & Response Actions
1. Block Sender: [email protected] on email gateway.
2. Blacklist URL: http://malicious-url.com on web filtering systems.
3. Analyze Attachment: invoice.zip in a sandbox environment.
4. User Awareness: Notify [email protected] and provide
phishing awareness training.
5. Monitor for Compromise: Check system logs for unauthorized
access attempts.
6. Report Incident: Escalate to security teams and relevant
authorities.

5. Conclusion
This analysis confirms that the email was a phishing attempt designed to
deceive the recipient into revealing sensitive information or installing
malware. By analyzing email headers, content, and attachments,
organizations can proactively detect and mitigate phishing threats.

6. References
• Email security best practices from industry sources.
• IOC reports from cybersecurity databases.
• Internal security policy documentation.
Screenshots: