Scribd
Upload
11 views

Phishing Email Analysis (1)

Phishing attacks involve fraudulent communications aimed at stealing sensitive data or installing malware, typically through email. Analyzing phishing emails helps identify techniques used by attackers, focusing on elements like subject lines, email spoofing, and attachments. Key steps in phishing email analysis include examining email headers, checking sender reputation, and using sandbox environments for safe file examination.

Uploaded by

e.n.nihala
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
11 views

Phishing Email Analysis (1)

Phishing attacks involve fraudulent communications aimed at stealing sensitive data or installing malware, typically through email. Analyzing phishing emails helps identify techniques used by attackers, focusing on elements like subject lines, email spoofing, and attachments. Key steps in phishing email analysis include examining email headers, checking sender reputation, and using sandbox environments for safe file examination.

Uploaded by

e.n.nihala
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 17

Phishing Emails Analysis

What is Phishing Attack

Phishing attacks are the practice of sending fraudulent communications that


appear to come from a reputable source.
It is usually done through email and Websites
The goal is to steal sensitive data like credit card and login information, or to
install malware on the victim’s machine.
Phishing is a common type of cyber attack that everyone should learn about in
order to protect themselves.
Phishing Email Cyber Kill Chain stage
Phishing attacks correspond to the "Delivery" phase in the Cyber
Kill Chain model created to analyse cyber- attacks. The delivery
stage is the step where the attacker transmits the previously
prepared harmful content to the victim systems / people.
What is phishing email analysis?

Phishing email analysis involves studying the content of phishing emails to


understand the techniques the attacker used.
Elements of Phishing Emails

All phishing emails includes one of two components like a link or an Attachment

Some of the important elements to identify phishing emails


➢ Subject Line
➢ Email Spoofing
➢ Brand Impersonation
➢ Phishing link
➢ Attachment
➢ Phishing Page
For Real-time Live interactive Cyber Security Trainings Contact SIEM XPERT at +91-9172620286, Email:
[email protected]
Phishing Attack Flow
Example of Phishing Email
Email Header Analysis
"Header" is basically a section of the mail that contains information such as sender, recipient and
date. In addition, there are fields such as "Return-Path", "Reply-To", and "Received".

Above information help us to identify whether email id phishing or not


Important Email Header Fields need to check
➢ From
➢ To
➢ X-Spam Status
➢ Date
➢ Subject
➢ Return-Path
➢ Domain Key and DKIM Signatures
➢ Received
Sample Email Header
Parameters to be checked on the Header
Email Static Analysis
➢ Check the sender IP and check its reputation in Talos intelligence, check the
company and geolocation details, if reputation is bed then email may be
suspicious
➢ Check the email domain reputation also
➢ If email domain looks legitimate check the domain SMTP records in
Mxtoolbox.com and check the email Sender IP belongs is the domain MX record
or not, if not then may be its an spoofed email as maximum companies will use
their own MX server to send an email
➢ Check the return path whether its same as sender or not if not them it may be a
spoofed and attacker has given different email id to receive a reply
➢ If email has an attachment upload it in Virus Total to find if it is well-known
malware
How to Check MX record of a domain
IP Reputation Check Using Talos Intelligence
Virus Total File Scanning
Sandbox Environment for Email Header
Analysis
(Dynamic Header Analysis)
You can examine suspicious files and websites in sandbox environments. When you
examine the files in these environments, you remove the risk of infecting your computer
with malware.
A few commonly used sandboxes:

 VMRay
 Cuckoo Sandbox
 JoeSandbox
 AnyRun
 Hybrid Analysis(Falcon Sandbox)
What Action we have to take if an email is Phishing?
E-mail Traffic Analysis

Many parameters are needed when analysing a phishing attack. We can


learn the size of the attack and the target audience in the search results to be
made on the mail gateway according to the following parameters.

➢ Sender Address
➢ SMTP IP Address
➢ Email Address Domain
➢ Subject (sender address and SMTP address may be constantly changing).
Action

➢ Check how many users have received the email ask them to delete permanently
➢ If machine is infected with malware isolate the system from the network

You might also like