Phishing 201 - HackMD

# Phishing 201 ###### tags: `social engineering` `cybersecurity` `phishing` `email analysis` This is the second part in the phishing series. If you haven't done so already, kindly take a look at [phishing 101](https://hackmd.io/tqdovKbqQS6q76ojedQ5WA) As an analyst, important information to look out for when analysing email headers would be: * sender email address * sender ip address * Reverse look up of the sender ip address * Email subject line * Recipient email address which you might find in the cc or bcc field * reply-to email address * date / time Then you move to the email body and attachments. You should collect the following from the email body: * Any URL links taking care to obtain original url links if a url shortener was used. * the name of the attachment. * the hash value of the attachment in MD5 or SHA256 format ## Email Header Analysis ### Google We can use Google's **Messageheader** from the Google Admin toolbox. [Messageheader](https://toolbox.googleapps.com/apps/messageheader/) analyzes SMTP message headers, which help identify the root cause of delivery delays. You can detect the misconfigured servers and mail-routing problems. How to use: copy and paste the entire email header and run the analysis tool. ### Azure **Message Header Analyzer** from Azure You can use it [here](https://mha.azurewebsites.net/) ### Mailheader[.]org You can use it [here](https://mailheader.org/) ### Tracking location info from ip address You can use the tools below to analyze information about the senders ip address: * ipinfo.io * urlscan.io * url2png.com * wannabrowser.net * [Talos Reputation Center](https://talosintelligence.com/reputation) ## Email Body Analysis This is usually where the malicious payload is delivered to the recipient either as a link or an attachment. Links can be extracted manually, either directly from an HTML formatted email or by sifting through the raw email header. Note the root domain for extracted urls as you will need to analyse those as well. You can also use: [URL extractor](https://www.convertcsv.com/url-extractor.htm) [CyberChef](https://gchq.github.io/CyberChef/) to extract URLs with the Extract URLs recipe. ### Steps: 1. Extract URL 1. Check the reputation of the urls and the root domain 1. Safely obtain attachment(s) if any 1. Get the hashes of the attachement(s) 1. Check if the file is a known malicious document For this you can use: * [Talos File Reputation](https://talosintelligence.com/talos_file_reputation) maintained by Cisco * [Virus Total](https://www.virustotal.com/gui/home/upload) ## Malware Sandbox Tools where you can upload and analyze malicious files to understand what they are programmed to do. Some sandboxes you could try are: * [Any run](https://app.any.run/) * [Hybrid analysis](https://www.hybrid-analysis.com/) * [Joe Security](https://www.joesecurity.org/) ## Phishtool One tool to rule them all, well sort of. Check out [Phishtool](https://www.phishtool.com/), there's a community edition that's pretty neat. You can hook it up to virus total through api keys. ## Honorable Mentions Some other useful tools include: ### MX toolbox [Mx toolbox](https://mxtoolbox.com/) can list MX records for a domain in priority order. The MX lookup is done directly against the domains authoritative name server so changes to MX records show up instantly. ### Phish Tank [Phish tank](https://phishtank.com/) allows you to submit suspected phishing and see others submissions. ### The Spamhaus project [The Spamhaus project](https://www.spamhaus.org/) has databases of known malicious sites wrt phishing and is a good resource for research.