TryHackMe: [Day 19] Blue Teaming Something Phishy Is Going On

3 min readApr 27, 2022

Who was the email sent to? (Answer is the email address)

EXPLANATION:

2. Phishing emails use similar domains of their targets to increase the likelihood the recipient will be tricked into interacting with the email. Who does it say the email was from? (Answer is the email address)

ANS: customerservice@t8fc.info

EXPLANATION:

3. Sometimes phishing emails have a different reply-to email address. If this email was replied to, what email address will receive the email response?

ANS: fisher@tempmailz.grinch

EXPLANATION:

4. Less sophisticated phishing emails will have typos. What is the misspelled word?

ANS: stright

EXPLANATION:

5. The email contains a link that will redirect the recipient to a fraudulent website in an effort to collect credentials. What is the link to the credential harvesting website?

ANS: https://89xgwsnmo5.grinch/out/fishing/

EXPLANATION:

Step 1: Click the Orange Button in the mail

Step 2: We can see the link will open in the browser

6. View the email source code. There is an unusual email header. What is the header and its value?

ANS: X-GrinchPhish: >;^)

EXPLANATION:

Step 1: Click on More -> View Source

Step 2: Search for unusual header (e.g X-GrinchPhish: >;^))

7. You received other reports of phishing attempts from other colleagues. Some of the other emails contained attachments. Open attachment.txt. What is the name of the attachment?

ANS: password-reset-instructions.pdf

EXPLANATION:

Step 1: Go to Email Artifacts folder -> Click on Atttachment.txt

Step 2: Search on Content-Type, We will get the answer