๐Ÿ‘ทSecuring the Inbox

A Comprehensive Methodology for Email Threat Detection and Classification

By Lazaro Rivera (Guest Author)

Slight Introduction and the Task at Hand!

Over the last few months I've had the opportunity to review hundreds of suspected phishing e-mails. Bringing in my 10 years of IT experience, I've come up with my own checklist method for investigating phishing e-mails. In this article we will put this checklist to the test by investigating a suspected phishing e-mail from my gmail account. All investigation activities are designed to minimize the risk of damaging your host computer; we will use virtual sandboxes and indirect resources to the greatest extent possible. Even with this precautions, I strongly recommend you investigate with a virtual machine. The checklist we will be using is as follows:

I look forward to taking you on this journey of discovery and understanding!

What Are Phishing Emails?

Phishing emails are a type of social engineering attack where the Threat Actor will send emails that look like they are from a legitimate source attempting to get the target to perform a specific behavior. This legitimate source could be a Bank, Social Media, Post Office, Streaming Service and so forth. The Threat Actor's goal could be one of many things to include (but not limited to) stealing your usernames and passwords, credit card information, or installing malware onto your system. The Threat Actor wants you to click on the links without thinking in order to trigger an event that achieves their goal. With the addition of Large Learning Models, more and more phishing emails look like they are from legitimate sources when they are, in fact, not from legitimate sources. Unfortunately many people can fall victim to these attacks if they are not careful when reviewing their email.

What to Look For When Looking at Emails:

This email looks to be โ€œlegitหฎ email from a Crypto wallet provider right, but we canสผt rule it out just yet as Spam as we still need to take a look at the senders information and hover over the Update Now and the other link within the email body as well.

What do you notice here? I'm looking at the senders details from my Gmail account on my host as I saw some more interesting details regarding the sender. One of the first things that stands out to me is in the e-mail header, next to @news[.]ledger[.]com is a 'via plala[.]or [.]jp', which to me seems rather suspicious. The other two things that stood out to me were the mailed-by and signed-by sections, they do not match the sender's domain where that they supposedly sent from.

Hover your mouse around the e-mail, are there any links? where are the links going? Is the link going to a suspicious domain that is not the senders domain? Now from this point forward, I exported the e-mail and transferred it to my my Ubuntu virtual machine. If we hover around the Update Now, we see a suspicious URL that does not match ledger[.]com as indicated by the blue arrow.

If we take a look at the other link that was also embedded into the body, we see that it is a completely different domain altogether and does not match the sender domain or the "Update Now" URL.

Based on the above behavior, I believe there is more than enough evidence to merit further investigation.

How to Analyze a Phishing E-mail

Now that we looked at the email and know something is suspicious about it, we will start to analyze the URL in different tools to see whether or not the links are actually malicious. -- Before we begin, please do not navigate to any suspicious URL within your virtual machine environment as the connection will still make an outbound connection to your primary host. I know this because I was testing to see if I navigated to a suspicious URL in my VM (virtual machine) would it trigger an outbound connection and I was right, Malwarebytes picked up on this and blocked the connection. --

This is why the next step on my checklist is so important. by using a sandboxed environment we can safely test the email without any fear of compromising our own systems.

Think of a sandbox like an isolated system. It is not connected to your network, or maybe it is hostd in the cloud (be aware of your user agreements before building such environments). Within the sandbox environment, we can technically navigate to the URL and see what we would find. Many things I have seen include fake Microsoft login pages, fake subscription renewal pages, and other sites impersonating legitimate businesses.

Virus Total

The first tool I normally like to use after I analyze the URL in a sandbox environment is Virus Total. Itสผs honestly great and has so many more features that I haven't fully explored yet. Lets copy the first link we saw embedded in the email and see what the results show once we analyze the domain on Virus Total. As we can see from the below screenshot, the results came back clean.

If we take a look at the domain from the "Update Now" button, we see that itสผs being deemed malicious by 10 Security Vendors.

I definitely recommend signing up for Virus Total if you are able to. Just because Virus Total says one of the links is malicious we canสผt say weสผre done here. What if Virus Total said it was clean, can we trust that verdict?

Cisco Talos

Another tool we can use is Cisco Talos's Reputation Center to analyze the domain and see what the web reputation. In this case Talos is saying that the domain is untrusted. Sometimes we may see more information in the other sections when looking up results for domains but I definitely recommend exploring Talos a bit more, you can do file reputation lookup and get email & spam data as well. The more evidence you have for your case the better in my book!

Another tool we can use is urlscan.io to analyze the URL and see what the verdict will be, after the analysis finishes running on the URL we see it not get a classification whether the target is malicious or not.

Even though we did not get a clear verdict we know by this point that the URL from the Update Now button is not safe. Some other useful things from urlscan.io is that we can see when the domain was created and where the domain is registered to. We can also grab that IP address and throw it in Virus Total to see the results if we had not done so already.

Whois

Another useful tool we can use is whois. There are multiple Whois sites to be found on Google, the one I normally use is whois[.]domaintools[.]com. Below is the Whois information, one thing we want to look at is the Dates, sometimes domains are created by threat actors as little as less than 30 days so that tell us that the domain canสผt be trusted and most likely malicious. Thereสผs other things we can do on whois such as reporting the site to the ISP. On a side note, have a screenshot of Virus Total would be good to send as they usually ask for some type of evidence.

MXToolbox

One of the last tools Iสผve recently used to help my investigations further is MXToolbox. MXToolbox is a online platform that offers a suite of tools to manage email infrastructure & diagnose email-related issues. One of the modules I like using the most during my email investigations is Analyze Headers. We can take the message headers from our email and analyze it on MXtoolbox. Once the analysis on the headers is done, we can see a few things that stick out such such as that huge 6s delay under relay information and the words in red.

What are DMARC, SPF & DKIM?

  • Domain-based Message Authentication, Reporting and Conformance or DMARC is a policy framework that helps prevent email spoofing and phishing attacks by letting the domain owners specify how their emails should be authenticated.

  • Sender policy framework or SPF authenticates the email by verifying the senderสผs IP address against a list of authorized sending IP addresses for the domain.

  • Domain Keys Identified Mail or DKIM is a method to validate the authenticity of an email by adding a digital signature to the message header.

Read more about these categories here. With those three categories being in red, This adds the additional evidence to classify this e-mail as malicious in nature.

Final thoughts & conclusion!

Now the last steps on this checklist that I canสผt demonstrate is based off tools we use at work but to give you an overall idea, after analyzing the URL on the tools just shared I would check if the same message was sent to other users in the environment. If I find more users got the messages and if they werenสผt quarantined. We would then quarantine those messages to remove them from the users inbox if they are present. After that we would block the malicious domain to prevent any users from potentially going there. Along my investigation, I do take screenshots to show what the tools verdicts are and put my case together explaining what I did and what the verdict of the tool was.

Overall you want to provide as much evidence to support your reason as to why the email cannot be trusted and what the intention of the email is, as we can see with this one from my Spam it turned out to be malicious just based off our analysis on the URL. I hope you enjoyed this article and learned something new along the way.


Lazaro Rivera (Laz) is a self-taught professional with over 10 years of experience in Information Technology prior to entering the Cybersecurity field earlier this year. His current position is as Cybersecurity Analyst apart of his company's DFIR team. In his heart, Laz is a purple teamer with a passion for all aspects of cybersecurity! He brings to the profession a curious mind. Laz is dedicated to learning something new everyday and sharing that information with others. At home, Laz is a husband, a father of two boys, a gamer and overall nerd. He enjoys going on hikes and enjoying the beautiful scenery that nature has to offer.

He can be reached at https://www.linkedin.com/in/lazaro-rivera/ or lazarusjrivera@gmail.com

Github: https://github.com/ShamanLaz

Last updated

Was this helpful?