How to Analyze a Phishing Mail Part 1

Imagine receiving an urgent email from your bank, informing you of a suspicious transaction on your account and prompting you to click a link to resolve the issue immediately. Or picture receiving a seemingly innocent message from a trusted colleague, asking for confidential information. These scenarios may seem commonplace, but they are just a couple of examples of a dangerous cyber threat that plagues the digital world - phishing.

Phishing is a malicious technique employed by cybercriminals to deceive individuals into divulging sensitive and personal information, such as passwords, credit card numbers, or social security numbers. It typically involves impersonating trusted entities or individuals, using fake emails, websites, messages(smishing), or calls(vishing) that appear legitimate at first glance. The ultimate goal of phishing is to trick the recipient into taking actions that compromise their security and privacy, making it a potent weapon in the arsenal of online fraudsters.

Phishing has evolved a lot over the years, from simple emails laced with poor grammar containing malicious links/attachments to customized phishing kits available in the dark web, conversation hijacking, phishing mails with embedded QR codes, captchas etc. Another critical aspect of phishing is that it is very often the initial attack vector in high-profile breaches/compromises.

In this 3-part phishing analysis series, we are exploring some ways to effectively analyze a phishing mail which will be helpful to cybersecurity professionals and even to general public irrespective of their work roles(everyone receives work-related emails!!). Basically this will be appealing to anyone who has an investigative mindset and likes to dig in deeper to uncover the truth.

There are broadly 2 kinds of analysis techniques possible for analyzing a phishing mail.

Static Analysis
Dynamic Analysis

Static Analysis

Static analysis of a phishing mail involves examining the email without executing its contents. Analysts review various attributes such as sender information, email content, links, and attachments to identify potential signs of phishing. By scrutinizing these elements, security professionals can assess the legitimacy of the email and determine if it poses a threat, without actively engaging with the potentially malicious content. Email Static Analysis can be classified into two types:

Email Body Analysis
Email Header Analysis

In Part 1 of this 3-part series, we're exploring the various aspects of the email body analysis technique.

What is Email Body Analysis?

The most visible part of an email is the email body and analyzing the email body thoroughly can give away so many clues regarding the authenticity of the mail. Phishing emails often contain several indicators that can help you identify them.

While not all phishing emails exhibit the same characteristics, here are some typical indicators to look out for in the email body:

Sender Email Address

Check the sender's email address carefully. Phishing emails often use email addresses that mimic legitimate ones but may have subtle misspellings or extra characters. Also, sender with a personal mail address(gmail.com, yahoo.com etc.) claiming to be from an organization is most likely a phishing actor.

Generic Greetings

Phishing emails often use generic greetings like "Dear Customer", "Hi", "Hello" instead of addressing you by your name. Legitimate organizations usually personalize their emails.

Urgent or Threatening Language

Phishing mails often create a sense of urgency or use threatening language to prompt quick action. They may claim that your account will be suspended unless you act immediately.

Email from Co-worker/CEO

Emails from co-workers enquiring confidential information or ones from CEOs asking to transfer huge amounts to their personal accounts are widely seen phishing tactics and have brought huge financial loss and reputational damage to companies around the world.

Gift Lures/Shipment mails

Phishing emails may entice recipients with promises of free gifts or prizes to lure them into clicking on malicious links or providing personal information. Legitimate organizations typically don't randomly give away gifts via email. Another very commonly seen phishing tactic is shipment mails(DHL, FedEx etc.) asking you to click on a link which leads to a look-alike website where you need to provide your personal and payment information.

Spelling and Grammar Errors

Phishing mails might contain spelling and grammar mistakes. However, this indicator is becoming a thing of the past these days due to the emergence of generative AI technology.

Fraudulent Email Attachments

Various patterns are seen in phishing mail attachments. Most common ones are invoice attachments for items/services you never purchased. In recent times, QR codes have also been used as attachments, the advantage being that, the threat actors can embed their malicious links within QR codes and thereby bypass spam filters. Another tactic seen is, attachment which appears to be a PDF but is in fact an image with embedded links. On clicking the image, the victim is redirected to a malicious website aimed to capture victim's credentials.

Email Body Analysis Tools

Now, let’s explore some powerful tools which can be used to effectively analyze email body.

CyberChef

Cyberchef is an awesome tool with a myriad of features and is an essential component in a SOC Analyst tool box. CyberChef can be used to encode, decode, format data, parse data, encrypt, decrypt, compress, extract data, defang URLs and many more functions. In case of an email body, "Extract URLs" is a very handy feature which helps to easily identify various URLs included in the email body. Best practice is to feed the email source(raw HTML data which contains email header+email body) as input to CyberChef. There may be many hidden URLs(for eg. tracking pixels) embedded in the email body which are not visible in the regular HTML format.

Go to CyberChef web app. From the "Operations" section, select "Extract URLs" and drag to the "Recipe" section.

Copy the text from the email source and paste in the "Input" section. Now, click on "BAKE!" to view the output.

The "Output" section shows all the extracted URLs from the email source.

Similarly, "Extract domains" operation can be used to extract all the domains from the mail body.

URLscan.io

URLscan.io is a free service to scan and analyze websites. According to the urlscan.io website, "When a URL is submitted to urlscan.io, an automated process will browse to the URL like a regular user and record the activity that this page navigation creates. This includes the domains and IPs contacted, the resources (JavaScript, CSS, etc) requested from those domains, as well as additional information about the page itself. Urlscan.io will take a screenshot of the page, record the DOM content, JavaScript global variables, cookies created by the page, and a myriad of other observations."

Go to urlscan.io, and paste the suspicious URL. From Options, select the preferred "Visibility"-Public/Unlisted/Private(Check this doc for more details). Start scan.

urlscan.io browses to the URL internally and provides a screenshot of the malicious website. Further details such as IPs contacted by the website, IP locations, DNS information etc. are displayed.

VirusTotal/Cisco Talos/AbuseIPDB

VirusTotal, Cisco Talos and AbuseIPDB are very popular tools for domain, URL, IP checks. The IP/domain information received from the previously mentioned tools can be checked in these reputation websites for a detailed analysis. Also, reputation of the email attachment can be analyzed by calculating its hash value and further checking in VirusTotal or Cisco Talos.

Sample Analysis 1

Now, as we’ve gone through the various suspicious indicators in an email body and the tools which help in effective analysis, lets analyze a sample mail body from a suspicious mail.

The email pretends to come from FBI and talks about an "imaginary" fund which the recipient is entitled to. Lets go through the indicators one-by-one(For each point, refer the numbering mentioned in the screenshot):

1. The email starts with a generic greeting “Dear Beneficiary” which is a common method seen in mass phishing campaigns targeting a large number of people.

2. Gift lure to the tune of $1,200,000 mentioned to entice the user. (Logic doesn’t apply sometimes when free money comes to the picture!)

3. Spelling and grammatical errors seen.

4. Creating urgency by mentioning that the contract with DHL will expire in 2 weeks.

5. Asking for money to receive the shipment. This is a very common indicator in phishing mails.

6. Telephone and WhatsApp number mentioned for the user to call back. This is a phishing method known as Telephone Oriented Attack Delivery(TOAD) where the email itself may not contain a malicious link or attachment to compromise the user, but using the content of the email, attacker creates fear or urgency in the victim and forces them to call back to the attacker-setup contact number. Through the phone call, the attacker compromises the user by obtaining their credentials, forcing them to pay up or installing malware on their device.

From the above-mentioned indicators, its clear that the email has nothing to do with the FBI!!

Sample Analysis 2

The above email pretends to come from MetaMask and asks to complete KYC to avoid suspension of the victim's cryptocurrency wallet. Lets go through the indicators one-by-one(For each point, refer the numbering mentioned in the screenshot):

 1. Sender email address mentioned is suspicious. Its not from MetaMask and is from a totally different domain.

2. Generic Greeting “Dear User” being used.

3&4. Creating fear and urgency by mentioning that the user’s wallet is about to be suspended and they immediately need to do the KYC verification. This is a fraudulent attempt to gain victim’s confidential information.

5. A URL mentioned which seems to come from MetaMask official website. But on hovering over the link, it's clear that this is not the original link where the user will be redirected to.(Hovering may not work as intended in all cases, especially where URL shortening is employed). The original link can also be obtained from the HTML source of the email.

The original link observed is:

On analyzing the link in urlscan.io, we uncover more details.

The effective URL(redirected from the initial URL) has a domain spartan[.]inow[.]vn. The URL screenshot shows “page can’t be found”. This is a case with phishing websites which get created and deleted within a short span of time. These sites are either taken down by cybersecurity product vendors, law enforcement or by the attackers themselves once their objective is completed. In this case, it would have been a webpage masqueraded as the MetaMask official website asking the user to enter their MetaMask wallet details inorder to complete KYC verification. Once the details are entered, typically such webpages give a "incorrect details" or "username or password incorrect" kind of errors. While in the background, the victim's credentials would've already been stolen by the threat actor. In other cases, once the victim enters their credentials in the look-alike website, they're redirected to the official website to enter their credentials, whereas the background activity by the threat actor remains the same.

Not much details are available regarding the domain but the related IP 103[.]57[.]222[.]17 is flagged as malicious by VirusTotal. The IP is located in Hanoi, Vietnam and belongs to “iNET Media Company Limited” according to WhoIs details.