In Parts 1 and 2, we covered two areas within static analysis of a phishing mail. In this final part, we're moving on to Dynamic Analysis, where we execute and interact with the malware embedded in malicious mails.

What is Email Dynamic Analysis?

Dynamic analysis of phishing mails is used to examine and understand the behavior of phishing emails in real-time. Dynamic analysis involves studying the behavior of an email when it is opened or interacted with, as opposed to static analysis, which examines the email's content and code without executing it.

Here are some key aspects of phishing email dynamic analysis:

Behavior Monitoring

Analysts observe the behavior of the email when opened or interacted with, including any attempts to connect to external servers, download malicious content, or execute malicious scripts.

Sandboxing

Phishing emails are often analyzed in a controlled environment known as a sandbox. Sandboxing involves running the email in an isolated environment to monitor its actions without risking harm to the actual system.

Code Execution Analysis

Analysts examine any scripts or code embedded in the email to understand their purpose and potential malicious activities. This includes looking for attempts to exploit vulnerabilities or execute malicious commands.

Payload Analysis

If the email contains attachments, dynamic analysis involves examining the payload (e.g., malicious files, documents, or executables) to understand their functionality and potential impact on the system.

Dynamic URL Analysis

If the email includes hyperlinks, dynamic analysis involves checking the behavior of these URLs when clicked, including redirection to malicious sites or attempts to download malicious content.

Malware Detection

Dynamic analysis helps identify and detect any malware associated with the phishing email. This can include traditional malware or more sophisticated types such as ransomware.

Dynamic Analysis Tools

Let’s explore some effective tools which can be utilized to perform dynamic analysis on phishing mails.

Virtual Machines

Virtual machines hosted in personal devices are one of the preferred ways for analyzing malware. You can use the virtualization vendor of your choice(Eg. VirtualBox, VMware etc.). For OS, its suggested to have Linux as the host OS and Windows as the guest OS. Most malware targets Windows, so it’s the best choice for guest OS for successfully simulating malware infection. Also, since the host OS is Linux, the malware will be ineffective even if it escapes the guest OS into the host.

ANY.RUN

ANY.RUN is one of the leading online malware sandbox solutions in the market. The advantage of Any.Run is that it is fully interactive, i.e suppose an excel file needs to be uploaded and then macros needs to be enabled within the file to activate malware, all that could be performed safely within Any.Run’s online Virtual machine. Also, there are lots of customization options for the online VM such as OS version, browser, network etc. Free version has some limitations such as a time limit of 1 min with extra added time of max. 4 mins, availability of public task only(which means all browsed data will be public), only available OS-Windows 7 to name a few. 

SquareX

SquareX is a revolutionary cybersecurity tool with multiple features such as disposable browser, disposable file viewer and disposable email. Using SquareX is as simple as opening a new tab in your browser. SquareX just requires you to open their browser extension or web app, spin up their disposable browser or file viewer and then start analyzing the malicious URL or attachment which you’re after. Each session lasts for 10 mins, can be extended for additional 10 mins for any number of times.

Browserling

Browserling is an online cross-browser testing tool which can be used as a URL sandbox. Enter the suspicious URL which needs to be analyzed, select the OS, browser and browser versions of your choice and proceed. Free version is limited to Windows 10 OS, 3 min. time limit etc. to name a few.

Sample Analysis

Now, lets perform a sample analysis on a malicious mail with one of the dynamic analysis tools which we discussed above.

The email pretends to come from Amazon support and mentions that an “imaginary” card associated with mail recipient’s Prime membership is no longer valid and that the card details needs to be updated. The email uses urgency tactic by stressing that the updation should be done within 1 day. The email further directs the recipient to open the email attachment for details.

We’ve downloaded the .docx attachment to a VM and for further protection, we’re using Any.Run sandbox for opening the attachment and viewing details.

The document contains similar information as seen in the email body. 2 URLs have been included for updating the (“imaginary”) card details. When we hover over both the links, its clear that both are the same and they direct to “qrco[.]de/beGfog” which is a QR Code Generator website. We click on the link and it opens in a browser within Any.Run sandbox.

The webpage mentions that  “The QR Code Campaign has been disabled for some reason”. This indicates that this webpage had previously hosted a QR code which, when scanned might have taken the victim to the attacker-controlled website setup to steal victim’s credentials. Later, the malicious website might have got taken down by law enforcement or deleted by the attacker themselves due to which the QR code has got disabled.

Finally, we’ve successfully completed the various ways of analyzing phishing mails. The evolution of phishing has taken a concerning turn with the incorporation of AI, enabling attackers to create more convincing and adaptive phishing campaigns. Highly-sophisticated phishing, despite its complexity, has become easily accessible due to the widespread availability of phishing kits and phishing-as-a-service options available in the dark web, facilitating cybercriminals in orchestrating attacks with minimal technical expertise. But the fact is that however sophisticated a phishing attempt is, there’ll still be some loopholes which helps uncover the threat as in the case of any criminal act. It is imperative for cybersecurity professionals to master diverse methods of analyzing phishing mails rather than solely relying on grammatical errors or hovering over links. Such knowledge will empower even a common end user of the internet to make informed decisions on the basis of rightly identifying phishing threats without seeking external assistance.

For any concerns or queries, hit me up on LinkedIn or Twitter