Open in app

Sign in

Write

Sign in

Unmasking Deception: Unveiling Phishing Emails through Static and Dynamic Analysis

Y.Furkan
Hedgus
Published in
7 min readMay 2, 2024

Phishing is super important to understand because it’s a really common way for scammers to steal your information or money. They trick you with emails or messages that look like they’re from someone you trust, like your bank or a friend. If you click on a link or attachment in the message, it could steal your personal details or even infect your device with malware. By being aware of phishing, you can learn how to spot these scams and protect yourself.

Phishing: Tricking people into revealing sensitive information or installing malware through emails, calls, texts, or social media.

Types of Phishing:

Email Phishing (Most Common): Deceptive emails that try to steal information or make you click malicious links.
Spear Phishing: Targeted emails crafted for specific individuals or organizations.
Whaling: Spear phishing specifically targeting high-level executives.
Vishing (Voice Phishing): Scam phone calls tricking people into giving away personal or financial information.
Smishing (SMS Phishing): Deceptive text messages trying to steal information or make you click malicious links.
Pharming: Redirecting users from legitimate websites to fake ones that steal information.
Social Media Phishing: Using fake or compromised social media accounts to trick people into giving away personal information.
Malware-Based Phishing: Emails with attachments or links that install malware on the victim’s device.
Clone Phishing: Almost identical copies of legitimate emails, hoping to trick recipients into thinking they’re real.

Analyzing phishing emails involves both static and dynamic analysis techniques to understand their characteristics, detect malicious intent, and protect against potential threats. Let’s break down these concepts:

Static Analysis:

Header Analysis: Examining email headers to check for anomalies or suspicious elements such as forged sender addresses or unusual routing paths.

Content Analysis:

URL Inspection: Checking hyperlinks in the email to see if they lead to known phishing domains or have obfuscated URLs.

Attachment Analysis: Scanning attachments for malicious code or executable files using antivirus software or sandboxing techniques.

Language and Content: Looking for common phishing language, grammar errors, urgent demands, or requests for sensitive information.

Dynamic Analysis:

Link Sandboxing: Opening suspicious links in a controlled environment (sandbox) to observe their behavior, interactions, and potential redirections. This helps detect malicious activities without exposing the main system.

Attachment Execution: Running suspicious attachments in a controlled environment to observe their actions, such as attempting to install malware or accessing sensitive data.

Network Traffic Analysis: Monitoring network communications initiated by the email or its attachments to detect connections to known malicious servers or command-and-control (C2) infrastructure.

Behavioral Analysis: Observing the overall behavior of the email or its components in a controlled environment to detect any unusual or malicious actions.

E-MAIL ANALYZING

We have three protocols.

1-SMTP (Simple Mail Transfer Protocol) PORT 465:
Used for sending emails.
Typically operates on port 465.
2-POP3 (Post Office Protocol) PORT 995:
Used for downloading and storing emails locally.
Limited synchronization, meaning you can use it with only one device effectively.
Offers a simple configuration.
3-IMAP (Internet Message Access Protocol) PORT 993:
Used for accessing and syncing emails across multiple devices.
Allows for server-side organization of emails (backup).
Ideal for better online access and management of emails.

POP3 = Download and Store Locally-Limited Synchronization(YOU CAN USE JUST ONE DEVICE)-Simple Configuration

IMAP=Access and Sync Across Multiple Devices-Server-Side Organization(BACKUP)-Better for Online Access

NOW ,

We should know our important and crucial words and methodologies.
I like to sum up some complex words and phrases. I explain briefly.

User Mailbox (or Username)
@
Domain

HINT: Actually, while looking, username is not important; we should use domain.

E-mail headers are composed of two parts. Header and body.

HEADER = From — the sender’s email address

Subject: the email’s subject line
Date: the date when the email was sent
To: the recipient’s email address

Body: The email body is the part of the email that contains the text (plain or HTML formatted) the sender wants you to view.

NOW, While analyzing an e-mail, we should look at these things. Maybe you have also known different methods and views of points, which you can add as comments.

THE IMPORTANT THINGS

HYPERLINK (people usually click)

LANGUAGES (Dear customer,hello, attackers don’t use languages if he or she is not from motherland.)

EMOTIONAL (urgency, excitement,sadness, opportunity)

BRAND(Amazon,Amozon/Apple,AppIe)

TIME (time zone is crucial)

IP ADDRESS

DOMAIN ADDRESS

ANY URL

NAME OF ATTACHMENT (Sometimes, they are executable file, .php,.exe,.sh)

HASH VALUE OF ATTACHMENT

Finally, We take an e-mail as .txt or .eml and investigate with OSINT tools.

Open a notebook and write an indicator of compromise.

There is no information about where this mail came from.

retunt path is information if this mail attains

It is important that the reply-to and return paths are usually the same

On the right side, watch out for emotional sitituation and brand

We see the hops in between until it comes to us. If there is ioc here, we need to take note.
X-Headers are important for email transmission and security because they provide additional information, enable monitoring/analysis, can be integrated with security protocols and can be used for special functions. this is where experience and detail come in. but it is important to remember that even this can be manipulated by an attacker.

Email can contain a critical attachment that demands our immediate attention. Due to its significance, a static analysis alone might not be sufficient. We need to proceed with a dynamic analysis to thoroughly assess the attachment’s safety.

SPF (Sender Policy Framework): SPF is a security protocol used to verify if the sending server of an email is authorized. SPF records define the IP addresses associated with a specific domain. Receiving servers use SPF records to check if the incoming email indeed came from an authorized server.

DKIM (DomainKeys Identified Mail): DKIM is a security protocol used to verify the integrity and authenticity of email messages. The sending server adds a digital signature to messages. The receiving server verifies this signature upon receipt, providing assurance that the message came from a trusted source.

DMARC (Domain-based Message Authentication, Reporting, and Conformance): DMARC is designed to enhance the use and accuracy of SPF and DKIM. It allows email senders to specify SPF and DKIM authentication and policies for receiving servers. DMARC also provides reporting features to monitor email authentication accuracy.

These three protocols, when used together, enhance the accuracy, security, and reliability of email messages. SPF verifies sender authorization, DKIM ensures message integrity, and DMARC facilitates effective use of these verifications, making email more secure against spam, fraud, and malicious activities.

I have seen phishing mail that has passed through these three security registries cleanly, we need to look holistically when thinking.

There was no from information in the other tool, there is here, double check is always important. here we throw it as txt, in the other tool we threw it with eml extension.

A tool that extracts the hyperlink hidden in the file as txt. always have a notepad handy and save it.

There are many tools, one of the most basic is virustotal.

Static analysis is fast and easy. We can reach the solution quickly. But sometimes there can be very sophisticated phishing emails, and this may not be noticed in static analysis. We can also do dynamic analysis with Anyrun. We should collect hyperlinks, phishing mail behavior, indicators of compromise, and analyze them. I have shown the basics too. You can easily find similar ones. I leave links with phishing examples for study. Good work, thank you.

1-ANALYZE(All of them do the same job, your choice)
https://app.phishtool.com/ (this is very good)
https://mha.azurewebsites.net/
https://toolbox.googleapps.com/apps/messageheader/analyzeheader
https://mailheader.org.

2-EXTRACTING HYPERLINK URL
https://www.convertcsv.com/url-extractor.htm

3-IP,DOMAIN,HASH..
https://www.hybrid-analysis.com/
https://www.virustotal.com/gui/home/uploadv

https://www.shodan.io/
https://www.talosintelligence.com/
https://urlscan.io/

4-SANDBOX( We can drop our files and investigate its behavior.)
https://any.run/

5- PHISING EMAIL EXAMPLES

https://github.com/rf-peixoto/phishing_pot

  • All sites are community version, you can easily use this free osint tools.
Phishing
Phishing Awareness
Phishing Email
Phishing Attacks
Cyberattack

--

--

Y.Furkan
Hedgus

Written by Y.Furkan

7 Followers
Editor for

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams