Phishing Analysis Fundamentals

Spam and Phishing are common social engineering attacks. In social engineering, phishing attack vectors can be a phone call, a text message, or an email. As you should have already guessed, our focus is on email as the attack vector.

There are 3 specific protocols involved to facilitate the outgoing and incoming email messages:

• SMTP (Simple Mail Transfer Protocol) → It is utilized to handle the sending of emails
  • SMTP uses port 465 for SMTP over SSL (Secure)
  • SMTP uses port 587 for SMTP with STARTTLS (Non-Secure)
• POP3 (Post Office Protocol) → Is responsible for transferring email between the client and the mail server. It is an Email download model, where Emails are downloaded from the server to the local device and often deleted from the server afterward.
  • POP3 uses port 995 for POP3 over SSL (Secure)
  • POP3 uses port 110 for POP3 with optional STARTTLS (Non-Secure)
• IMAP (Internet Message Access Protocol) → Is responsible for transferring email between a client and a mail server. It is a Server-based model, where Emails are stored on the server and viewed from any device.
  • IMAP uses port 993 for IMAP over SSL (Secure)
  • IMAP uses port 143 for IMAP with STARTTLS (Non-Secure)

2 parts of an email

Email Header

• Header → Information about the email such as email servers that relayed the email. There are fields in the email header.

  • From → the sender’s email address
  • Subject → the email’s subject line
  • Date → the date when the email was sent
  • To → the recipient's email address

  Other information about the email header

  • X-Originating-IP → The IP address of the email was sent from (known as X-Header)

  • smtp.mailfrom/header.from → The domain the email was sent from (these headers are within Authentication-Results)

  • Reply-to → This is the email address a reply email will be sent to instead of a from email address. This means that if there are reply to that is not to the sender then that’s malicious.

  • Return-Path → The email address for return mail. This is the same as "Reply-To:".

  • Envelope-To → This header shows that this email was delivered to the mailbox of a subscriber whose email address is [email protected].

  • Delivery Date → This shows the date and time at which the email was received by your (mt) service or email client.

  • Received → The received is the most important part of the email header and is usually the most reliable. They form a list of all the servers/computers through which the message traveled in order to reach you.

    The received lines are best read from bottom to top. That is, the first "Received:" line is your own system or mail server. The last "Received:" line is where the mail originated. Each mail system has its own style of "Received:" line. A "Received:" line typically identifies the machine that received the mail and the machine from which the mail was received.

  • DKIM-Signature & Domainkey-Signature → is an email authentication method designed to detect forged sender addresses in emails. It helps protect recipients from email spoofing, phishing, and spam.

    • When we say forged, it pretends to come from a trusted source

  • Message-id → A unique string assigned by the mail system when the message is first created. These can easily be forged.

  • Mime-Version → Multipurpose Internet Mail Extensions (MIME) is an Internet standard that extends the email format.

  • Content-Type → Generally, this will tell you the format of the message, such as html or plaintext.

  • X-Spam-Status → Displays a spam score created by your service or mail client

  • X-Spam-Level → Displays a spam score usually created by your service or mail client

  • Message Body → This is the actual content of the email itself, written by the sender.

Email Body

• Body → Text and/or HTML formatted text

We can view email in Text format and HTML format. If there is an attachment we might see or take note of this:

• Content-Type → is application/pdf
• Content-Disposition → specifies it’s an attachment
• Content-Transfer-Encoding → tells us it’s based-64 encoded

Types of Malicious Email