This guide will cover many aspects of Phishing Email Analysis including the incident response workflow, defensive measures, analysis tools, and more.
Incident Response Workflow
Here is the typical workflow I follow when analyzing phishing emails.
- Retrieve an original copy of the phishing email
- Obtain artifacts
- Investigate the artifacts
- Collect indicators of compromise
- Take defensive measures
- Write an investigation report detailing the findings
Phishing Email Artifacts
There are 3 primary types of artifacts I look for when analyzing a phishing email. Those are email-based, file-based, and web-based artifacts. I’ll elaborate on these below.
Email Artifacts
These would be any plain-text data or information that can be derived from an email either through looking at the source code or by using an automated analysis tool. The following are the email-based artifacts I would always gather for my report.
- Sending email address
- Recipient email address
- Reply-to address
- Subject line
- Date and time
- Sending server IP address and reverse DNS lookup
File Artifacts
There may not always be file attachments in emails, but if there are, I would retrieve the following artifacts from them.
- Attachment name
- SHA256 hash value
- Get-FileHash -Algorithm SHA256 .\example.eml ;
- https://talosintelligence.com/talos_file_reputation
- https://www.virustotal.com/gui/home/search
After retrieving the file hash, I would then paste the hash into the Talos File Reputation and VirusTotal websites to see whether or not that file has been flagged as malware. If the results from those websites are mixed, I might also consider investigating a copy of the file artifact in a sandboxed virtual machine with no network connection.
Web Artifacts
Many phishing emails include hidden or obvious website links in the body content. Sometimes this can be a fully exposed URL, or it could be an image with an anchor tag on it. For investigating web-based artifacts, I retrieve the following from the emails.
- Full URLs
- Root domains
Oftentimes this would involve using a text editor, then performing a search for a URL and seeing the hardcoded string in the anchor tags. Phishing emails can frequently show an exposed URL only to have it link to a different domain entirely as in the following example.
<a href="http://malware.net" target="_blank">https://google.com</a>
If I ever have doubts about my safety when visiting a suspicious link, I never visit the link directly. Instead, I perform a WHOIS domain lookup to get more information on the location of the domain and its age. If it’s a newer domain, then there is a high likelihood that it could be used for phishing campaigns. I would also use the following tools to safely see what is on the webpage of the link without having to visit the link myself.
Defensive Measures
There are many different ways we can protect users from phishing emails. Some of these measures are done on the infrastructure once (and updated as needed) while other measures can be taken when phishing attacks occur.
Here are some infrastructure level defenses we can put in place to prevent many of the phishing emails from ever reaching our users.
Anti-Spoofing Records
- SPF (Sender Policy Framework) – This is a type of DNS (TXT) record that can prevent an email address from being forged.
- DKIM (DomainKeys Identified Mail) – This is a method of email authentication that verifies if an email has been sent by trusted servers and wasn’t tampered with during transmission.
- DMARC (Domain-Based Message Authentication, Reporting, and Conformance) – This protocol allows the domain owner to specify what happens if emails fail both SPF and DKIM checks (no action, quarantine, reject).
Spam Filters
- Gateway Spam Filters – These sit behind a network firewall.
- Hosted Spam Filters – These are hosted within the cloud.
- Desktop Spam Filters – These are typically free software which may not be effective as the other two filters.
Types of Spam Filtering
- Content Filters – Uses information in the email header and body to determine if an email is spam or not.
- Rule-Based Filters – Uses predetermined criteria to filter email.
- Bayesian Filters – Uses machine learning to determine the user’s preferences when dealing with spam emails.
Blocking Measures
If I found a phishing email, I would also consider the following actions to target specific components of the malicious email.
- Email artifact blocking – Filter based on subject line, sending IP address, sending server IP address.
- File artifact blocking – Filter based on file names and file hashes.
- Web artifact blocking – Filter based on URL, domain, and IP addresses.
Phishing Email Analysis Tools
Here is a list of tools I would use when analyzing a phishing email. I will sort them by use case based on the incident response workflow.
Artifact Analysis
Visualization
URL Reputation
- https://www.virustotal.com/gui/home/upload
- https://urlhaus.abuse.ch/
- https://www.phishtank.com/
- https://www.wannabrowser.net/
File Reputation
Malware Sandboxing