Email Forensics; 2. Headers and Body

This series of articles explains the basic evaluation of email; headers, body, and various types of attachments.

Parts of this Email Forensics series:

1. The Gathering
2. Headers and Body (you are here)
3. Attachments (TBD)

This second part of the Email Forensics is dedicated to identifying, a spoof attempt in the email header and to extrapolate useful information from the body of the email.

The scope is limited to email received from external sources, that aren’t dropped by the mail servers. Meaning that emails are not hard-failing any security check on route to the target\recipient.

The Headers

Email headers contain information about the path that email traversed (green) and the envelope information (blue). While discrepancies in the traversed path and ‘Return-Path’ are punished by dropping the email, envelope headers, especially ‘From’ header, may contain misleading content.

Return-Path field is verified by the Sender Policy Framework (SPF) and the usual setup of the email server requires alignment of ‘Return-Path’ and ‘From’ email address. The highlighted part represents the name of the email sender and is not verified by design.

Spoofing Sender Name — primitive but reliable

The name of the email sender offers the most simple spoofing opportunity as its visible to the recipient and content is not verified. The victim might notice discrepancies between the sender name and the address but email will not be market as suspicious or moved to spam based on this.

We can verify by comparing value from the final external ‘Received:’ header, against the value of DNS entry of the domain:

> dig +noall +answer hraoui[.]com txt
hraoui.com.  14400 IN TXT "v=spf1 ip4:104[.]193[.]142[.]151 ...

The email was sent from the authorized server. We can surmise that the server or just email account was compromised for this purpose.

Spoofing the Sender Email — goes to spam

The email address of a sender is written into two different header entries; a ‘Return-Path’ header and a ‘From’ header. The ‘From’ value is displayed for the user and the ‘Return-Path’ is handed to the server, as an envelope attribute.

The following sample below displays an email which has passed SPF tests, despite it clearly having a spoofed ‘From’ field. The reason is that SPF is verified based on ‘Return-Path’ field.

SPF Passed because Return-Path matches senders domain

SPF Fails when spoofing ‘Return-Path’ field:

SPF Failed because Return-Parh was spoofed as well

Spoofing of Domain without MX entry. See the previous part for details of this case.

Domain blockchain[.]org has no MX entry

SPF None on the spoofed domain without MX entry

All the spoofing attempts above were moved to the spam folder by the email server.

The result of the verification is available in the ‘Authentication-Results’ header. If an entry is not available or authorization fails, it shouldn’t directly be considered as evidence of spoofing. A significant amount of legit senders do not have proper SPF and DKIM configured. DKIM signature might fail when SMTP server is used as a legit relay.

Non-spoof cases

Spoofing is usually lowering email reputation and it might end up in spam folder or quarantine, but that’s not always the case. When an email is sent from an authorized server and signed with valid DKIM, its reputation will remain intact.

To take advantage of properly signed email, the following channels are the most common:

• Free email services (outlook.com, yahoo.com, gmail.com,…)
• PWNed email addresses (banks, ISPs,…)
• Lookalike domains (sforce.com, worksday.com,…)
• Mass email services (MailChimp.com, SendGrid.net…)

The Body

Preview

An important step in email triage is to see a preview of the email, read the text and graphics to assess the purpose of the email message. For example, there are two widespread lures in use, to try and get potential victims to click on the target link:

1. An alarming message asserting some problem with the recipient’s account, where they are prompted to follow a link to resolve the issue, and
2. A message notifying the recipient of a new / updated / shared document

92.7% of incidents analyzed used generic messages. Messages that could be deployed at a large number of organizations with only minimal changes (source).

A preview should be generated by a real email client. Although this might not be important in case of plain text emails, it is crucial for more complex HTML multipart emails. Be aware that simple conversion libraries HTML->PNG will generate very different results that engine in an email client.

Mozilla Thunderbird email client in a secure docker container will do great work. Short-lived containers configured only to support Thunderbird instance should be secure enough because a chain of exploits is needed to escape the environment. Here is a core of Docker file and, as Thunderbird does not have ‘Save as Image’ functionality, we need to do a screenshot of the running instance within Virtual Display.

Dockerfile for headless Docker container:

FROM debian:stretch
RUN apt-get -y update \
    && apt-get install -y thunderbird xvfb xdotool x11-apps imagemagick unzip zip \
    && rm -rf /var/lib/apt/lists/* \
    && apt-get autoremove -y
ENV XAUTHORITY=root/.Xauthority
RUN touch root/.Xauthority

Screenshot bash script in docker instance:

#!/bin/bash
DISPLAY_BAK=$DISPLAY
DISPLAY_SIZE=860x1400
DEPTH=24
LIMIT=1
PAUSE=1
TEST=0
DISPLAY_NUM=99
SCREEN=0
OUTPUT_DIR="./output"
SC=0
CMD="thunderbird --file home/payload.eml --profile prof2"
function make_screenshot(){
    if [ $SC = 0 ]; then
        sleep 5
    fi
    SC=$((SC + 1))
    echo "[*] Making Screenshot $SC"
    (xwd -display :$DISPLAY_NUM -root -out "${TMP}${IMG}" >/dev/null && 
        convert "${TMP}${IMG}" "${OUTPUT_DIR}/${SC}_${IMAGE_OUTFILE}") || true
}
echo "[*] Starting xvfb-run"
(xvfb-run --error-file $AUTH_ERR_LOG -f "$HOME/.Xauthority" --server-args="-screen ${SCREEN} ${DISPLAY_SIZE}x${DEPTH}" ${CMD} >/dev/null) & disown
function make_screenshot(){
    if [ $SC = 0 ]; then
        sleep 5
    fi
    SC=$((SC + 1))
    echo "[*] Making Screenshot $SC"
    (xwd -display :$DISPLAY_NUM -root -out "${TMP}${IMG}" >/dev/null && 
        convert "${TMP}${IMG}" "${OUTPUT_DIR}/${SC}_${IMAGE_OUTFILE}") || true
}
echo "[*] Starting xvfb-run"
(xvfb-run --error-file $AUTH_ERR_LOG -f "$HOME/.Xauthority" --server-args="-screen ${SCREEN} ${DISPLAY_SIZE}x${DEPTH}" ${CMD} >/dev/null) & disown

Hyperlinks

Hyperlinks within the body are the popular way how to deliver a payload to victims. The presence of suspicious, non-related domain in hyperlink might indicate an intent to mislead the victim. Links to malicious payload or to phishing pages have multiple advantages for the attacker:

• hyperlink might contain parameters identifying the victim. Therefore, in the case of a successful hit or defensive reaction, the attacker knew which recipient triggered the reaction
• The attacker might serve different payloads for different User Agents or geolocations

Following categories of malicious links are most common:

• Cloud storage (Gdrive, box.com…). Legit services are commonly abused to serve the payload. Here is an example of a variety of phishing URLs hosted on Google Services from PhishTank:

'https://plus[.]google[.]com/10621333404127897444/posts/1dxWgMf3vc','http://sites[.]google[.]com/site/libretyreserve',
'https://docs[.]google[.]com/document/d/1IGf88w2wRjHq0Sz1fO_NdzHPp',
'https://docs[.]google[.]com/document/d/1gy-xysaRMQ7s14hRc-GdWLVXCnGYYUH--LQSMKHIdAA/edit?usp=sharing',
'https://docs[.]google[.]com/document/d/1zKs-G2rmRPI4od2kaAtem3IDzdA1pbYCwX4R5QZYIWw/edit',
'https://docs[.]google[.]com/forms/d/e/1FAIpQLSdw7WWLMe5NBmdW5bohTmHDl3Uyh4bKaoCq0P7I7wbcuSoWeg/viewform',
'https://docs[.]google[.]com/forms/d/e/1FAIpQLSfttS12wZ9DLNWcmDvgE38oWrINS8y7cxnYT_fTNdAcEf03GA/viewform?usp=send_form',
'https://docs[.]google[.]com/viewerng/viewer?url=proxy[.]ge[.]tt/1/files/5D0k9Lx2/0/blob?referrer%3Duser-a6KjrVMdeXZ9faVkfFsDH44K4iYbrxAK3Pn41U-%26pdf&ddrp=1=secured',
'https://drive[.]google[.]com/file/d/0BwQW_LHWRzFjeE1IZE9QNnc/edit',
'https://drive[.]google[.]com/file/d/11t5_9paDUnEsBjArqXmkDBdCaGYwRfOK/view?usp=drive_open',
'https://drive[.]google[.]com/file/d/13qb-N9OeZzTR4HRUF5mcmAWgugLosmbd/view?usp=sharing',
'https://google[.]com/webhp?ei=89Q-cvV8hmw73ewAUXcAvdzGMr5FGMfyazP&gs_l=',
'https://sites[.]google[.]com/a/ualberta[.]ca/new-work-application/',
'https://sites[.]google[.]com/site/fbconfirmaccoun18/',
'https://sites[.]google[.]com/view/unblockpage/home?authuser=1',

• PWNed servers. Hacked sites are abused to host the payloads. From 10K active phishing links tracked by PhishTank, a 4K are hosted by the Wordpress blogging platform.
• Search links (google.com/url?q=…). Search and Translate engines are used to trick URL parsers as they validate only root domains:

'https://google[.]fr/url?sa=t&rct=j&q=&esrc=s&source=web&cd=7&cad=rja&uact=8&ved=2ahUKEwiV_p77t-7jAhWpxYUKHXA8BfgQFjAGegQICBAB&url=https%3A%2F%2Ffountainhead[.]vn%2Fblogs%2F&usg=AOvVaw2ombZecKZa0W9mwmd4RYKc',
'https://google[.]co[.]uk/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=0ahUKEwioqpfl4oPKAhWHPxQKHYGXAjkQFggfMAA&url=httpsAFFappleid[.]apple[.]comF&usg=AFQjCNF7841Jq5PLrYJwYDN8RkcZjuNVww&sig2=gKBRh04c9wVr4EOc4FARAw&bvm=bv[.]110151844,d[.]d24',
'https://google[.]com[.]au/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=0ahUKEwiD1vmHw-_ZAhXHv7wKHT5zA0QQFggnMAA&url=http://bbmacademy[.]com/bbmaold/wp-includes/theme-compat/&usg=AOvVaw1Chfx48laX8aiucswx65yc',
'https://google[.]com/a/turriago[.]com/ServiceLogin?service=mail&passive=true&rm=false&continue=https://mail[.]google[.]com/mail/&ss=1&ltmpl=default&ltmplcache=2&emr=1&osid=1',
'https://google[.]com/url?hl=en&q=http://cmffltd[.]com/wp-zbxb/zbxbx/mobile/exx/Account/index[.]php?email%3D%5B%5B-Email-%5D%5D&source=gmail&ust=1523355231217000&usg=AFQjCNFBC5DLonStz7Nxpw6Hp_V9soeAPQ',
'https://google[.]com/url?q=http://polaroidevents[.]pk/wp-content/uploads/2019/02/update?email%3D%5B%5B-Email-%5D%5D&source=gmail&ust=1566559101359000&usg=AFQjCNFoELb10r4TuDvN0X1e6MR2THi40g',

• Mass mailing services and tracking links (sendgrid.net). Mass mailing services are working well to deliver phishing email and some of them for better tracking even replace hyperlink with own redirector.

In this documented case sendgrid spoofed the sender email address and hide malicious hyperlink with own redirect.

Source: myonlinesecurity.co.uk

Spoofed Sender with Signed DKIM

Trackers

Tracking objects aren’t malicious but they share some similarities with malicious links, like an identifier in the parameter. The goal is to identify the tracked entity to evaluate the effectivity of the campaign. Tracker might be any remote resource containing a unique identifier when requested, usually, a 1x1 pixel loaded from the remote server.

The end of part n.2