E-mail Analysis
Last updated
Last updated
The invention of the email dates back to the 1970s for ARPANET.
An email address has the following key components:
There are 3 specific protocols involved to facilitate the outgoing and incoming email messages:
SMTP (Simple Mail Transfer Protocol) It is utilized to handle the sending of emails.
POP3 (Post Office Protocol) It is responsible transferring email between a client and a mail server.
IMAP (Internet Message Access Protocol) It is responsible transferring email between a client and a mail server.
You should have noticed that both POP3 and IMAP have the same definition. But there are differences between the two.
Emails are downloaded and stored on a single device. Sent messages are stored on the single device from which the email was sent. Emails can only be accessed from the single device the emails were downloaded to. If you want to keep messages on the server, make sure the setting "Keep email on server" is enabled, or all messages are deleted from the server once downloaded to the single device's app or software.
Emails are stored on the server and can be downloaded to multiple devices. Sent messages are stored on the server. Messages can be synced and accessed across multiple devices.
Alexa composes an email to Billy (billy@johndoe.com) in her favorite email client. After she's done, she hits the send button;
The SMTP server needs to determine where to send Alexa's email. It queries DNS for information associated with johndoe.com;
The DNS server obtains the information johndoe.com and sends that information to the SMTP server;
The SMTP server sends Alexa's email across the Internet to Billy's mailbox at johndoe.com.
Alexa's email passes through various SMTP servers and is finally relayed to the destination SMTP server.
Alexa's email finally reached the destination SMTP server.
Alexa's email is forwarded and is now sitting in the local POP3/IMAP server waiting for Billy.
Billy logs into his email client, which queries the local POP3/IMAP server for new emails in his mailbox.
Alexa's email is copied (IMAP) or downloaded (POP3) to Billy's email client.
Each protocol has its associated default ports and recommended ports. For example, SMTP is port 25.
The header contains information about the email, such as the email servers that relayed the email. The main header fields are the following ones:
From
The sender's email address
Subject
The email's subject line
Date
The date when the email was sent
To
The recipient's email address
X-Originating-IP
The IP address of the email was sent from (also known as an X-header)
Smtp.mailfrom/header.from
The domain the email was sent from (headers within Authentication-Results)
Reply-To
The email address a reply email will be sent to instead of the From email address
Return-Path
The email address a reply email will be sent to instead of the From email address
The email body is the part of the email which contains the text (plain or HTML formatted) the sender wants you to view. In an email body you can also add an attachment file. For example, in the following email we add Payment-updateid.pdf file, that is specified in the source code in the following way:
The headers associated with this attachment:
Content-Type is application/pdf.
Content-Disposition specifies it's an attachment.
Content-Transfer-Encoding tells us it's base64 encoded.
With the base64 encoded data, you can decode it and save it to your machine.
Cut & Paste the Header of the mail in one of the following tools:
Cut & Paste the Sender IP address of the mail in one of the following tools:
Cut & Paste the Sender IP address of the mail in one of the following tools:
You can extract URLs from an emails by right-clicking on them and copying the link:
You can extract URLs in raw header or decoded HTML body, by Cutting & Pasting them in one of the following tools:
After obtaining the attachment, perform SHA256 on it, e.g. with the following command on Linux:
Then you can paste the result HASH in one of the following tools for further analysis:
Malware sandbox There are online tools and services where malicious files can be uploaded and analyzed to better understand what the malware was programmed to do. These services are known as malware sandboxes. We can upload an attachment we obtained from a potentially malicious email and see what URLs it attempts to communicate with, what additional payloads are downloaded to the endpoint, persistence mechanisms, Indicators of Compromise (IOCs), etc.:
Automated Phishing Analysis PhishTool combines threat intelligence, OSINT, email metadata and battle tested auto-analysis pathways into one powerful phishing response platform. Making you and your organisation a formidable adversary - immune to phishing campaigns that those with lesser email security capabilities fall victim to.
You can also connect PhishTool to VirusTotal account using API key.
PhishTool conveniently grabs all the pertinent information we'll need regarding the email:
Email sender;
Email recipient (in this case, a long list of CCed email addresses);
Timestamp;
Originating IP and Reverse DNS lookup.
We can obtain information about the SMTP relays, specific X-header information, and IP information.
You can also see hops of the email (SMTP relays):
We can see the email body and we can see source code or rendered text:
Any submissions you upload to PhishTool, you can flag as malicious and resolve with notes. Similar to how you would if you were a SOC Analyst.
The attachment file name and file hashes will be marked as malicious. Next, click on Resolve.
An analyst can mark the email based on dropdown selections.
using Extract URLs recipe
We can also see attachments and, if configured, analyze it through VirusTotal:
