Let’s start with answering what are the indicators within an email. So, you got an email, and your invisible cyber security senses are tingling. Somethings looks off…but how do we determine if it really is malicious or not? Let’s explore what type of information is available on a received email.

Key Indicators to Analyze:

Sender’s Address: Attackers can manipulate their address and change it to make it look trustworthy or legitimate.

Subject: It makes it easier to observe campaigns targeting an organization when you have the subject line. Later on we will discuss how you can use this information to find all receivers of a malicious email and take actions collectively.

Sender IP Address: It helps to determine if sender’s address is being spoofed. We will later on look at how you can use SPF and reverse IP lookup tools to determine this. Just one thing to note here is sometimes organizations use Email Secure Gateways. For example their email flow might looks like the following for inbound emails: Internet > ProofPoint > Outlook. If this is the case on a first glance you might see ProofPoint IP address as the sender’s IP address but that is not what we are looking for. We might have to go layer in, and analyze ProofPoint logs to determine the true Sender IP address since an inbound email first gets delivered to ProofPoint in this case and then it proceeds to Outlook; in user’s inbox.

Reply-to-address: Attacker might enter their personal email or any email they have access to for this field. This way, they will receive any reply to this email right in their mailbox. This can be especially obvious if it is an email with @outlook.com, @hotmail.com, or @gmail.com domains.

Date & Time: As for every type of investigation, this is a crucial artifact that needs to be collected every time.

Attachment name & extension: Some security tools like DLPs and XDRs can block any type of executables, specified file extensions from being received but also sent. Some attachments can look especially suspicious if it is not a .pdf, .doc, .xls, etc. But, it is very important to remember most attacks do occur with using those type of documents in the first place. If these documents have embedded macros, it can execute it if user enables with a click of a button. More modern phishing attacks utilize DocuSign and SharePoint files. In summary, be vigilant and never assume something is safe without doing your investigation when it comes to phishing. We will look more into some tricks when it comes to investigating these documents.

Hash Value: Obtaining hash value makes it easy to check the origin of the file. Especially if the file is being an imposter for a legitimate file, a simple hash value look-up on VirusTotal can help you reveal it.

URLs: Probably one of the most important pieces to investigate but also requires GREAT CAUTION when doing so. You never want to click these links. Instead we will later see how we can use OSINT to reveal what is behind the URL. Of course, some modern security tools will just sandbox it for you as well and using that you can also investigate the website. One common thing to watch for is, they like to tweak legitimate URLs slightly to trick users thinking it is a safe destination.

Next, we will learn about how to perform investigations at the investigating suspicious emails section. Our best friend during these investigations will be various OSINT (Open Source Intelligence Tools) tools.