Beyond the Inbox: Dissecting Phishing Emails for Digital Defense
A Comprehensive Guide to Phishing Email Analysis
Target Audience could be a SOC analyst, any IT person interested in identifying phishing emails or anyone who wants to have a comprehensive idea of analyzing an email.
Note: This will be a lengthy article (taking around 20 minutes) since it will cover almost everything needed for analyzing a phishing email. So, feel free to jump over to any of the sub-topic of your interest.
The Significance of Current Statistics: Motivation behind this Article
Identifying and analyzing phishing emails is vital in email analysis due to the prevalence of phishing as the most common form of cybercrime; as per this source: approximately 3.4 billion spam emails are sent daily, Stolen credentials are a primary cause of data breaches, while major email service providers like Google actively block around 100 million phishing emails daily. With over 48% of emails sent in 2022 being spam and a significant portion of phishing emails originating from Russia, scrutinizing and reporting suspicious emails becomes crucial. Additionally, businesses face substantial risks, as 83% of UK organizations that suffered cyber-attacks reported phishing as the attack type. By effectively analyzing and mitigating phishing attempts, individuals and organizations can protect themselves, their sensitive data, and mitigate financial consequences.
Unveiling the Different Forms of Cyber Attacks Linked to Phishing Emails
Before diving into the analysis directly, let’s first briefly go through the common cyber-attacks related to phishing emails.
- Phishing: Deceptive emails aiming to trick people into revealing sensitive information by impersonating legitimate sources.
- Spear Phishing: Targeted phishing attacks tailored to specific individuals or organizations using personalized information.
- Business Email Compromise (BEC): Sophisticated phishing attacks that impersonate high-ranking executives or trusted contacts to deceive employees into divulging confidential information or performing unauthorized transactions.
- Ransomware: Malicious software that encrypts files or systems, demanding a ransom for their release. Often delivered through phishing emails.
- Malware Distribution: Spreading harmful software, including through phishing emails, to compromise systems, steal data, or gain unauthorized access.
Now let’s dive into the analysis part. One more thing to mention before we start header analysis. Below I have divided the email address into 3 parts that can be useful to understand further things.
Local Part — It is generally the username or the account name. It can contain alphanumeric characters along with underscore (_), period (.) & hyphen (-).
Separator — Separator @ is used to separate local part and domain name.
Domain Name — It represents the domain name of the email service provider (Gmail, Outlook, Yahoo, etc.) or the organization associated with the email address (google.com, microsoft.com, facebook.com, etc.). It can also contain subdomains (support.google.com, contact.microsoft.com, social.facebook.com, etc.)
Header Analysis: Uncovering Key Insights in Phishing Email Analysis
Email headers contain vital metadata that plays a pivotal role in analyzing crucial details pertaining to the origin, recipients, and transmission path of an email. From a security perspective, certain headers warrant specific attention due to their significance in identifying potential threats and malicious activities.
Note: You will either need to download the original mail or view the original mail in order to obtain all the below mentioned headers. Refer this if you are not aware how view all the headers.
- From: It simply let us know who the sender of the email is.
> This is the field that a user usually looks at when he/she opens an Email. FROM field is generally either the Name we see stating from whom we received the mail or is the Sender’s Email ID. This field can be spoofed by an attacker to make the victim user believe that this mail is sent by a legitimate sender.
> As mentioned above, email addresses have local part and a domain name, this both parts can be spoofed by an attacker to make the victim user believe that this mail is sent by a legitimate sender. Spoofing the local part is bit easy as it only needs to mention the name of the legitimate sender. In the above image, the name displayed stats that mail is received from Google, but this cannot be always the case, here the mail is legitimate, but anyone can manipulate the name to be displayed in the FROM field. In below image, it can be seen that the display name is spoofed as Google Admin but if we closely look at the sender email address than it can be seen that it is sent by some devil user using a normal Gmail account. Google’s official mail will always be sent from @google.com domain.
> Next coming to spoofing the domain, it is bit more difficult to spoof domain compared to the username. It would require some misconfiguration in the email server or lack of sender authentication.
> If the email server used by the attacker has security vulnerabilities or misconfigurations, it can allow them to manipulate or forge email headers, including the domain part. Exploiting these weaknesses, attackers can send emails with a spoofed domain, making it appear as if the email originated from a trusted source.
> If SPF and DKIM records are not properly set in the domain’s DNS records than it can allow the attacker to spoof the domain, making the victim believe that the mail is sent from actual domain owner.
> The above image is the actual POC wherein I was able to send verification OTP mail to users from a valid domain. Note: The domain was related to one of the websites of Cybercrime branch not the actual cybercrime branch and I have not shown the actual domain for privacy. One thing to notice here is the “?” symbol shown by the Gmail as sender’s profile pic. Gmail has shown that “?” because it wasn’t able to verify the authenticity of the sender’s domain. I was able to send the email from a genuine domain because the domain didn’t had SPF and DKIM records properly configured. Also it is most likely that gmail or other email service providers will put this kind of mails in the Spam folders if the authenticity of the mail is not verified. But the actual attackers use sophisticated techniques so not in all cases those mail would be put into Spam folder.
So, this is how paying close attention to just the FROM header can tell us a lot about the authenticity of the mail. Now next we move on to the other important header that is “Reply to”.
2. Reply-to: it the mail ID a sender can specify to which the recipient can send their reply.
> The “Reply-To” header specifies the email address to which recipients should send their replies. It allows the sender to designate an alternative email address for replies instead of the email address listed in the “From” header. When a recipient clicks the “Reply” button in their email client, the reply is directed to the address specified in the “Reply-To” header. This header provides a convenient way for senders to receive responses at a different email address, such as a customer support or designated contact address.
> Now this header is not openly visible like the FROM and TO headers. This header is also important to consider while analyzing the mail for phishing. Analyzing the “Reply-To” header provides valuable insights into the tactics employed by attackers in their phishing campaigns. By scrutinizing the email’s header information, security analysts and individuals can identify discrepancies between the apparent sender and the designated reply address. If the “Reply-To” header points to an email address that does not align with the expected sender or deviates from the legitimate organization’s domain, it raises a red flag, indicating a potential phishing attempt.
> Look at the above mail that looks like being sent from your college faculty admin; any normal user would trust this. In the mail its asked to reply to this mail with some sensitive information, now if we check the reply to header of this mail, we will find something interesting.
> If you can see, the mail id mentioned in “Reply-To” field is different from the one present in “From” field. Not just the username but also the domain is different. So, if the user John blindly clicks the reply button and replies with the sensitive that was asked to send, the reply will go to hackerdevil@attacker.com and not to faculty_admin@cllg.edu.us.
3. Return Path: This is the email address where the email delivery failure notification or bounce notification will be sent.
> Whenever an email is sent and for whatever reason if the email fails to deliver in the recipient's inbox, then in that case the mail address mentioned in “Return Path” header will be used. The delivery failure notification will be sent to that address. Now taking a note of this header during the phishing email analysis can be useful as it can reveal some information about the actual sender.
> Phishing attacks often involve email spoofing, where the attacker forges the sender’s email address to appear as if it’s coming from a trusted source. By scrutinizing the “Return-Path” header, analysts can compare it to the purported sender’s address and look for inconsistencies or discrepancies. If the “Return-Path” domain differs significantly from the displayed sender domain or is unrelated to the legitimate organization, it can be a strong indication of email spoofing and phishing activity.
> Examine the sender’s domain and return path’s domain, any discrepancies can indicate possible phishing. Not always the case domain will match, but if the return path domain is totally unknown in that case there could be possible phishing. Let’s have a look at an email from LinkedIn for better understanding.
> In the above image, it can be seen that sender’s domain is linkedin.com and domain in return path is bounce.linkedin.com. So here, there are no such signs of spoofing as both the domains are same. Also, there is “!” sign beside Return Path because the domains haven’t matched exactly (due to bounce subdomain), but it’s a false positive as this is a genuine mail from LinkedIn.
> In the above snapshot, it could be seen that sender’s domain and domain in return path are different (growlancer.co ≠ convertkit.com), so it could be an indicator of phishing mail, but we cannot conclude that it’s 100% a phishing mail, as sometimes organizations use email service providers, and the return path domain would be different in that case.
4. Received Headers: with this header we can see the information about the servers that the mail passed through from sender to receiver.
> When you send an email, it passes through various servers and relays before it reaches the recipient’s inbox. The “Received” headers in an email provide a record of these servers and the path the email took. Each server adds a “Received” header to the email, creating a list of timestamps and server information.
> By analyzing the “Received” headers, we can trace the journey of the email. We can see where from it originated, which servers it passed through, and the final server that delivered it. This information helps us trace the email’s route and identify any suspicious or unauthorized servers along the way. The “Received” headers also help with authentication. We can check if the email went through trusted servers or if there are any signs of tampering or forgery. This helps us detect spoofed emails or unauthorized modifications to the routing information.
> In the above image, all the servers starting from the sender till the receiver are listed.
From SPF to DMARC: The Role of Authentication Headers Analysis in Unraveling Phishing Email Techniques
- SPF (Sender Policy Framework)
> Sender Policy Framework (SPF) is an important email authentication protocol used in phishing email analysis. It helps us determine the authenticity of the sender’s domain, allowing domain owners to define rules about which servers are authorized to send emails on behalf of their domain. These rules are published as DNS records.
> When we analyze phishing emails, SPF comes into play by helping us verify if the sender’s domain is legitimate. We do this by checking the SPF record associated with the sender’s domain, which tells us which servers are allowed to send emails on behalf of that domain.
Here’s how SPF works in the context of phishing email analysis:
- We look up the SPF record: During our analysis, we retrieve the SPF record from the DNS for the sender’s domain. This record contains information about the authorized mail servers for that domain.
- We evaluate the SPF policy: We compare the IP address of the server that sent the email with the list of authorized servers specified in the SPF record. If there’s a match, the email passes the SPF check.
- We get the SPF result: Based on the evaluation, we determine the SPF result. A “Pass” result means the email came from an authorized server, which adds to its legitimacy. However, if the result is “Fail” or “SoftFail,” it indicates that the email might be forged or sent from an unauthorized server, raising concerns of phishing or fraud.
- We check SPF alignment: In addition to the SPF result, we can also verify if the domain used in the “Return-Path” or “Mail-From” field matches the domain used in the “From” field. If there’s a mismatch, it could indicate a possible spoofing attempt.
> By considering SPF in our phishing email analysis, we can assess the credibility of the sender’s domain. SPF provides an extra layer of protection against email spoofing and phishing attacks. When we combine SPF analysis with other techniques, it helps us identify suspicious emails and strengthens our overall assessment of email authenticity and potential risks.
2. DKIM (DomainKeys Identified Mail)
> Imagine you’re sending a physical letter to someone, and you want to make sure they know it’s really from you and hasn’t been altered along the way. You would sign the letter using your unique signature. DKIM does something similar but in the digital world. When an email is sent using DKIM, the sender’s email server adds a digital signature to the message using a private key. This signature is like your unique handwritten signature on the physical letter. It provides a way for the recipient’s email server to validate the email’s authenticity.
> When the recipient’s email server receives the email, it can retrieve the public key associated with the sender’s domain from the DNS (Domain Name System). This public key acts as a reference for verifying the digital signature. The recipient’s email server then uses the public key to decrypt the digital signature on the email. If the signature is valid and hasn’t been altered during transit, it means the email is genuine and has not been tampered with.
> DKIM helps in phishing email analysis by providing a means to verify the legitimacy of the email’s origin. By checking the digital signature and comparing it with the associated public key, we can determine if the email has been modified or if it actually came from the claimed sender’s domain.
3. DMARC (Domain-based Message Authentication, Reporting, and Conformance)
> Imagine you have your own domain, like example.com, and you want to make sure that only legitimate emails from your domain reach recipients. DMARC helps you achieve this by allowing you to set up rules for email receivers to follow when they receive emails claiming to be from your domain.
> With DMARC, you can specify three key actions for the email receiver to take when they encounter an email that claims to come from your domain:
- Alignment: DMARC ensures that the “From” header domain matches the domain used in the email’s “Return-Path” or “Mail-From” address. This alignment confirms that the email is genuine and not a spoofed or forged message.
- SPF and DKIM Verification: DMARC requires that the email passes either SPF (Sender Policy Framework) or DKIM (DomainKeys Identified Mail) authentication. These are email authentication methods that verify the legitimacy of the sender’s domain. SPF checks if the email was sent from an authorized server, while DKIM verifies the email’s integrity using digital signatures.
- Policy Action: DMARC allows you to define a policy for the email receiver to follow if the email fails the alignment or authentication checks. You can choose between three actions: “none” (do nothing), “quarantine” (put the email in the recipient’s spam or quarantine folder), or “reject” (completely reject the email).
> DMARC also provides valuable reporting mechanisms. It enables email receivers to send feedback to domain owners about emails that pass or fail DMARC checks. This reporting helps domain owners gain insights into email activity, identify potential spoofing attempts, and fine-tune their email authentication configurations.
Now let’s understand all three-authentication using some real-world example:
Authentication-Results: mx.google.com;
dkim=pass header.i=@hackerdevil.com header.s=google2048 header.b=Z8L6tjHb;
spf=pass (google.com: domain of attacker@hackerdevil.com designates 209.85.210.43 as permitted sender) smtp.mailfrom=attacker@hackerdevil.com;
dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=hackerdevil.com> DKIM Result: The “dkim=pass” indicates that the DKIM (DomainKeys Identified Mail) check passed successfully. DKIM is a method that verifies the integrity of the email. In this case, the “header.i” field shows that the email’s “From” domain is “@hackerdevil.com”. The “header.s” field indicates that the DKIM signature was generated using a key associated with the “google2048” selector. The “header.b” field contains the specific signature value.
> SPF Result: The “spf=pass” means that the SPF (Sender Policy Framework) check also passed. SPF helps verify if the email comes from an authorized server. The explanation in parentheses provides additional details. It states that the domain “hackerdevil.com” designates the IP address 209.85.210.43 as a permitted sender. This indicates that the email’s source aligns with the SPF policy defined by the domain.
> DMARC Result: The “dmarc=pass” signifies that the DMARC (Domain-based Message Authentication, Reporting, and Conformance) check was successful. DMARC allows domain owners to set policies for email receivers to follow. In this case, the “p=REJECT” indicates that the DMARC policy is set to “REJECT” mode, which means that any email failing DMARC checks should be rejected. The “sp=REJECT” specifies that the DMARC policy requests the email to be rejected at the SMTP layer. The “dis=NONE” indicates that no additional action was required for this particular email.
Now let’s take another look at that spoofed OTP verification email’s authentication header that we had seen earlier:
Authentication-Results: mx.google.com;
spf=softfail (google.com: domain of transitioning verification@******.org does not designate 89.**.1*.29 as permitted sender) smtp.mailfrom=verification@******.org;
dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=QUARANTINE) header.from=******.org> In the above authentication headers, it can be seen how SPF is failed (softfail) as the sender domain’s IP address do not match with IP authorized by the original domain owner. It indicates that domain ******.org is spoofed by someone.
> The DMARC has also failed and as per policy the mail should get quarantined.
Next, we will look at another parts of email that plays very important role while analyzing email for phishing.
Uncovering Hidden Dangers: The Significance of URL and Attachment Analysis in Phishing Email Forensics
> URLs in Phishing Emails: Phishing emails often contain deceptive URLs that attempt to trick recipients into visiting malicious websites. These URLs may appear legitimate but actually lead to fraudulent or compromised webpages.
Dear Robert,
We hope this email finds you well. We are writing to inform you about a recent data breach incident that occurred at Amazon. Your security is our utmost priority, and we are taking immediate action to protect your personal information.
As a precautionary measure, we strongly recommend that you change your password for your Amazon account as soon as possible. This will help ensure the security and integrity of your account and prevent any unauthorized access.
You can additionally check here if your account was a part of the breach: https://tinyurl.com/yc7m8rdf
To change your password, please follow these simple steps:
1. Visit our website at https://arnazon.com/user/account/forget_password.php
2. Click on the "Login" button located at the top right corner of the page.
3. Select the "Forgot Password" option.
4. Enter your registered email address associated with your account.
5. Check your email for further instructions and follow the provided link to reset your password.
6. Choose a strong and unique password that includes a combination of letters, numbers, and special characters.
7. Save your new password in a secure place and avoid sharing it with anyone.
We apologize for any inconvenience caused and assure you that we are implementing additional security measures to prevent future incidents. If you have any questions or require further assistance, please do not hesitate to contact our customer support team at support@arnazon.com.
Your trust and satisfaction are of utmost importance to us, and we appreciate your prompt attention to this matter. Thank you for being a valued customer of Amazon.
Best regards,
Devil
Security Analyst
AmazonHere’s how it works:
- Masking Legitimate URLs: Phishers may disguise a malicious URL by making it look similar to a trusted website. For example, as shown above, they might replace a letter or use a different top-level domain (e.g., substituting “rn” for “m” in “amazon” to create “arnazon.com”). These slight variations can go unnoticed by hurried or unsuspecting recipients.
- Redirecting to Phishing Sites: Phishers may use URL redirection techniques to send users to fraudulent websites. They typically send emails with embedded hyperlinks or URL shorteners that redirect users to a different URL than what is displayed in the email as shown in the above example (tiny url is used to hide the mail URL). The displayed URL might appear legitimate, such as a bank’s website, but the redirection takes users to a fake login page where their credentials are captured.
- Hidden URLs: Phishing emails may hide the actual URL behind a text link as shown in below image. For example, a hyperlink labeled “Click here to reset your password” may lead to a malicious website instead of the expected password reset page. Hovering over the link (without clicking) can reveal the actual URL, allowing users to detect discrepancies.
> Attachments in Phishing Emails: Attachments in phishing emails can be used to deliver malicious payloads or deceive recipients into opening harmful files. Here’s how attackers exploit attachments:
- Malicious File Attachments: Phishers may attach files that contain malware, such as ransomware, keyloggers, or viruses. These files often masquerade as harmless documents (e.g., PDF, Word, or Excel files) or executable files (.exe). When opened, the malware is executed, compromising the recipient’s system.
- Infected Documents: Phishing emails may include documents with embedded macros or scripts. When the user opens the document and enables macros or executes the script, it can trigger the download and execution of malware onto the victim’s device.
- Fake Invoices or Forms: Phishers may send emails with attachments that mimic legitimate invoices, forms, or official documents. These attachments may prompt recipients to enter sensitive information, such as login credentials, credit card details, or personal data. By deceiving users into providing this information, attackers can carry out identity theft or financial fraud.
> Whenever we have received any URLs or an attachment in the mail that seems suspicious, we can check the reputation of it by using various online tools. One of such tools is VirusTotal, that can assist us checking the reputation of URLs, Domains, IPs & Files.
> In the above image we can see the reputation of the domain is found to be malicious on VirusTotal by 13 vendors out of 88 total vendors. Likewise, we can check for the files that we have received as an attachment via mail, IP of the sender’s domain, sender’s domain. Checking reputation of these all things would help us further classify the email as phishing, spam or a clean email.
> So, this is how we can check any of the Domains or IPs or URLs or Attachments received over an email while doing email analysis. Next we will look at the content analysis.
Unveiling the Clues: Leveraging Content Analysis for Deeper Phishing Email Analysis
> Content analysis plays a crucial role in the analysis of phishing emails. It involves examining the actual content, including the text and visual elements, to identify patterns, indicators, and characteristics that can help determine the authenticity and intention of the email. In essence, it’s like reading between the lines to uncover hidden clues and deceptive tactics employed by attackers. Here’s how it works:
Language and Tone: One aspect of content analysis is assessing the language and tone used in the email. Phishing emails often employ urgency, fear, or enticing offers to manipulate recipients. They may use alarming statements like “Your account has been compromised” or create a sense of urgency with messages like “Act now or lose access to your account.” By examining the language and tone, analysts can identify these manipulative techniques.
Grammatical and Spelling Errors: Phishing emails commonly contain grammatical or spelling mistakes. While not always present, these errors can be an indication of an unprofessional or hastily composed email. Attackers may not invest the same level of attention to detail as legitimate organizations, so identifying such errors can raise suspicions and warrant further investigation.
Branding and Visual Elements: Content analysis also involves scrutinizing the visual elements and branding within the email. Legitimate organizations typically maintain consistent branding and design across their communications. In contrast, phishing emails may have distorted logos, poor quality images, or inconsistent visual styles. By analyzing these elements, one can spot visual inconsistencies that hint at a fraudulent attempt.
Request for Sensitive Information: Phishing emails often request personal or sensitive information. Content analysis involves examining the email for any such requests, such as asking for passwords, credit card details, or Social Security numbers. Legitimate organizations rarely ask for such information via email, so encountering such requests should raise suspicion.
Links and Call-to-Action Buttons: Analysts scrutinize the links and call-to-action buttons within the email. Phishing emails may include URLs that lead to fake websites or malicious pages designed to steal information. Content analysis involves verifying the legitimacy of these links by hovering over them (without clicking) to reveal the actual web address. Additionally, suspicious or misleading button labels, like “Update Now” or “Click Here,” are carefully examined for signs of deception.
Email Footer and Signature Analysis: Examining the email footer and signature can provide valuable insights. Legitimate emails typically include professional and consistent contact information, such as the sender’s name, company, address, and official contact details. In contrast, phishing emails may have missing or mismatched information.
Time and Context Analysis: Analyzing the timing and context of the email can provide important clues. Phishing emails may coincide with significant events or trends, such as holiday seasons or major news events. Understanding the context and timing can help in assessing the likelihood of the email being a phishing attempt.
> By conducting content analysis, individuals can spot patterns, discrepancies, and red flags within the email’s content, which can help identify potential phishing attempts. It’s important to stay vigilant and apply critical thinking when assessing the content of emails. If something seems suspicious or too good to be true, it’s advisable to verify the authenticity of the email through alternative means, such as contacting the supposed sender directly using official contact information.
Conclusion
Remember, vigilance is key. Phishing email analysis is a critical skillset in today’s cybersecurity landscape. By understanding the techniques, indicators, and methodologies involved, individuals and organizations can strengthen their defenses against phishing attacks. Through the examination of email headers, authentication mechanisms, content, URLs, attachments, and social engineering tactics, we gain valuable insights into the intricate workings of phishing emails.
I have made every effort to comprehensively address the key aspects necessary for analyzing phishing emails, incorporating practical real-world examples wherever possible.
Stay safe, stay informed, and keep coming back for more empowering insights.
Thank You for reading. Knowledge is power, so keep gaining! 😈
