Open in app

Sign in

Write

Sign in

Analysing Phishing Emails with Manual Approach

Nikhil Chaudhari
6 min readNov 7, 2024

--

Here in we are going to cover how we can collect artifacts that help us to indentify the malicious threat in corporate environment. Lets start with introduction.

Introduction

Millions of phishing emails are constantly sent to users and organizations in an attempt to cause damage, such as stealing credentials, installing malware like ransomware, or stealing sensitive information. That’s why it’s crucial for both organizations and users to be able to identify and understand phishing emails. The objective of this project is to explore techniques for analyzing phishing emails.

Email Artifacts

Email artifacts are essential components of digital evidence that can be pivotal in investigating suspicious emails. These artifacts include:

  • Sending Email Address
  • Subject Line
  • Recipient Email Addresses
  • Sending Server IP & Reverse DNS
  • Reply-To Address
  • Date & Time
  • File hashes
  • File Extension verification

Manual Analysis

To begin, we will start with a manual analysis to collect the essential artifacts to aid in our investigation.

Phishing emails often employ social engineering tactics to manipulate users. These emails typically evoke a sense of urgency, fear, or curiosity. In this instance, the aim is to create a sense of urgency. By exploiting the desire for rewards or recognition, phishing attackers seek to manipulate recipients into clicking on malicious links, providing personal information, or taking other actions that compromise their security. Phrases like “Open Immediately!” add to this sense of urgency, further compelling the recipient to react based on emotions rather than logic.

Examining the image above closely, we can observe that the email has been spoofed to resemble the legitimate T-Mobile email address. However, there is a noticeable difference in the spelling, as the spoofed address reads “tmoobille” instead of “T-Mobile.” While it may look obvious, it’s crucial to recognize that unsuspecting recipients may not pay close attention to such details, especially when they are rushed or distracted. They may overlook the subtle differences in the domain name and fall victim to the phishing attempt.

The body of the email does a relatively good job of appearing legitimate, particularly with the inclusion of “T-Mobile” at the top, which adds authenticity. However, the contents of the email are somewhat confusing as they lack specificity regarding the reward; instead, it simply mentions “T-MOBILE.”

Text Editor Extraction

From the email, we can extract valuable information such as the sender (from), recipient (To), subject, and body content. However, downloading the email allows us to gather additional data, such as the sending server’s IP address or a reply-to address.

From the above image, you can see the email spoofing in action. The “In-Reply-To” email listed is the one to which responses will be redirected, despite the different email being displayed. This tactic is commonly used to deceive users into believing they are communicating with a legitimate sender.

With the X-sender-IP, we can conduct a reverse DNS lookup to gather information about the server. To perform this, we utilized whois.domaintools.com. From the screenshot below, we can observe that the reverse DNS lookup indicates the host as a Microsoft sending server

From the DNS information, it appears that the email domain is utilizing a service provided by a company based in Germany. This suggests that the domain registration or hosting may be managed by a provider located in Germany.

Let’s turn our focus to the “Confirm Here” link in the email.

Tools Used:

  • Virus Total
  • urlscan.io
  • WannaBrowser

By running a VirusTotal scan, none of the vendors were able to flag the URL as malicious. The fact that none of the vendors flagged the URL as malicious does not necessarily guarantee its safety. It’s important to remember that the absence of a detection does not equate to the absence of a threat.

With the help of urlscan, we can see that the link redirects the user to “hxxps://packetlander.com/0/0/0/c0a7683dbaaca26393a0b61be8f652b4”.

To expand on this, we can use Wannabrowser to get the header and body details.

Based on the content of the body, it seems that the script is designed to enforce a redirect and prevent any manipulation of the opener window by a new window or tab.

Collected Artifacts

Sending Email Address: noreply@tmoobille.com 
Subject Line: You Are Our February Winner ! Open Immediately!
Sending Server IP & Reverse DNS: 89.144.20.218
Reply-To Address: @oxudjle.qmtldrlzksmwlllpmbjnf.us.com
Date & Time: 02-01-2024

PhishTool Analysis

To automate the process, Phishtool is a valuable phishing analysis tool that conducts WHOIS checks, VirusTotal scans, retrieves file names and hashes, and collects URLs.

PhishTool simplifies and expedites the process by providing all the essential artifacts in a matter of seconds. From the originating IP, you can navigate to the far right of the page to find three dots. Clicking on them will bring up a dropdown menu that includes “Investigate.” From there, you can select “IPWHOIS lookup” to conduct a search and gather more information about the IP address. As demonstrated in the image below.

PhishTool also provides an image of the email body and allows for further analysis by examining the HTML or source.

And for client-based information, it generates a list of all X-headers found and includes a search function for convenient navigation.

To view the URLs found in the email, you can open “Message URLs”. A useful feature is that under the VirusTotal section, you can configure it to be linked with your VirusTotal account to run scans.

File hashes

We have to check wether mail content some files that may we potention threat for compony. so we find there hashes and send to virustotal to check that the file is detect as malicious or not. if yes then we write in artifact with its name and hashes.

File Extension verification

Most of the time attacker change extension of file so that it bypass firewall and stop going to spam folder or malicious warning.

Example : Lets take i have email with file name PsExe.txt

Now i look over it and it opened in hexadecimal for so i can’t see original content. So to verify the extension is real or not. I searched 1st 4 bytes in Garry casterl website and found real extension if PsExed.ps1

Conclusion

At the end we are now clear that how you can investigate the malicious email files and collect artifacts.

If you like my content give me clap and follow me for such content.

Phishing
Email Analysis
Digital Artifact

--

--

Nikhil Chaudhari
Nikhil Chaudhari

Written by Nikhil Chaudhari

1 Follower
6 Following

I am (🦊) Cloud Security Researcher | | SOC Analyst | Passionate about learning & writing new technologies, tools & automations.

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams