Phishing Email Analysis

 Introduction to Phishing

Phishing attack is a type of attack aimed at stealing personal data of the user in general by clicking on malicious links to the users via email or running malicious files on their computer. 

Phishing attacks correspond to the "Delivery" phase in the Cyber ​​Kill Chain model created to analyze cyber attacks. The delivery stage is the step where the attacker transmits the previously prepared harmful content to the victim systems / people.

The attackers generally aim to click on the harmful link in the mail, such as “you have won a gift”, “do not miss the big discount”, “if you do not click on the link in the mail your account will be suspended” to direct users to click on the links in the mail.

Of course, the only purpose of the attack is not to steal the user's password information. The purpose of such attacks is to exploit the human factor, the weakest link in the chain. Attackers use phishing attacks as the first step to infiltrate systems.

Information Gathering:


Attackers can send emails on behalf of someone else, as the emails do not necessarily have an authentication mechanism. Attackers can send mail on behalf of someone else using the technique called spoofing to make the user believe that the incoming email is reliable. Several protocols have been created to prevent the Email Spoofing technique. With the help of SPF, DKIM and DMARC protocols, it can be understood whether the sender's address is fake or real. Some mail applications do these checks automatically. However, the use of these protocols is not mandatory and in some cases can cause problems. 

  • Sender Policy Framework (SPF) 
  • DomainKeys Identified Mail (DKIM) 

To find out manually whether the mail is spoof or not, SMTP address of the mail should be learned first. SPF, DKIM, DMARC and MX records of the domain can be learned using tools such as Mxtoolbox. By comparing the information here, it can be learned whether the mail is spoof or not.

Since the IP addresses of the big institutions using their own mail servers will belong to them, it can be examined whether the SMTP address belongs to that institution by looking at the whois records of the SMTP IP address. 

An important point here is that if the sender address is not spoof, we cannot say mail is safe. Harmful mails can be sent on behalf of trusted persons by hacking corporate / personal email addresses. This type of cyber attacks has already happened, so this possibility should always be considered.

E-mail Traffic Analysis:

Many parameters are needed when analyzing a phishing attack. We can learn the size of the attack and the target audience in the search results to be made on the mail gateway according to the following parameters. 

  • Sender Address
  • SMTP IP Address
  • Domain Base 
  • Besides the gmail account, attacker may have sent from the hotmail account 
  • Subject (sender address and SMTP address may be constantly changing) 

In the search results, it is necessary to learn the recipient addresses and time information besides the mail numbers. If harmful e-mails are constantly forwarded to the same users, their e-mail addresses may have leaked in some way and shared on sites such as PasteBin. 

Attackers can find email addresses with theHarvester tool on Kali Linux. It is recommended that such information should not be shared explicitly, as keeping personal mail addresses on websites would be a potential attack vector for attackers.

What is an Email Header and How To Read Them?

In this section, we will explain what the header information in an email is, what can be done with this information and how to access this information. It is important to follow this section carefully as we will explain how to perform the header analysis in the next section. 

What is an Email Header? 

"Header" is basically a section of the mail that contains information such as sender, recipient and date. In addition, there are fields such as "Return-Path", "Reply-To", and "Received". Below you can see the header details of a sample email.

Spam Blocker - It is possible to detect spam emails using Header analysis and other various methods. This protects people from receiving SPAM emails.

How to Access Your Email Header? 


1- Open the relevant e-mail 
2- Click on the 3 points at the top right "..." 
3- Click on the "Download message" button.
4- Downloaded ".Open the file with the extension "eml" with any notebook application 


1- Open the relevant e-mail 
2- File - > Info -> Properties - > Internet headers

Important Sites to analyze Email Header:

Here are the key questions we need to answer when checking headings during a Phishing analysis: 

  • Was the email sent from the correct SMTP server? 
  • Are the data "From" and "Return-Path / Reply-To" the same?

Static Analysis 

It is a fact that mails composed of plain text are boring. For this reason, mail applications provide HTML support, allowing the creation of mails that can attract more attention of users. Of course, this feature has a disadvantage. Attackers can create e-mails with HTML, hiding URL addresses that are harmful behind buttons / texts that seem harmless.

As seen in the image above, the address that the user sees can be different when the link is clicked (the real address is seen when the link is hovered).

It is possible to find out whether the antivirus engines detect the web address as harmful by searching the web addresses in the mail on VirusTotal. If someone else has already analyzed the same address / file in VirusTotal, VirusTotal does not analyze from scratch, it shows you the old analysis result. We can use this feature both as an advantage and a disadvantage.

If the attacker searches the domain address on VirusTotal without containing harmful content on it, that address will appear harmless on VirusTotal, and if it goes unnoticed, you may be mistaken for this address to be harmless. In the image above, you can see that address appears harmless, but if you look at the section marked with the red arrow, you will see that this address was searched 9 months ago, and this result is 9 months ago. To have it analyzed again, the button marked with the blue arrow must be pressed. If the page was previously searched on VirusTotal, it may mean that the attacker wanted to see the rate of detection of the site during the preparation phase. If we analyze it again, antivirus engine detects it as phishing, which means that the attacker has a move to trick analysts. Performing static analysis of the files in the mail can enable the learning of the capacity / capabilities of that file. However, since static analysis takes a long time, you can get the information you need more quickly with dynamic analysis. 

Cisco Talos Intelligence has search sections where we can learn reputations of IP addresses. By searching the SMTP address of the mail we detected on Talos, we can see the reputation of the IP address and find out whether it is included in the blacklist. If the SMTP address is in the blacklist, it can be understood that an attack was made on a compromised server.

Likewise, the SMTP address can be searched on VirusTotal and AbuseIPDB to determine if the IP address has previously been involved in malicious activities.

Dynamic Analysis 

URLs and files can be found in the mail. These files and URL addresses need to be examined. You don't want your data to be stolen by hackers by running these files on your personal computer. For this reason, the websites and files in the mail should be run in sandbox environments and the changes made on the system should be examined, and it should be checked whether they are harmful or not.

If you want to quickly check the web addresses in the mail, you can see the content of the website using online web browsers such as Browserling. The good thing about such services is that you will not be affected by a possible zero-day vulnerability that affects browsers, since you do not go to the web page on your own computer. The disadvantage of using web browsers such as Browserling is that if the malicious file is downloaded on the site, you cannot run this file. For this reason, your analysis will be interrupted.

Before going to the addresses in the mail, it should be checked whether there is important information in the address. When we examine the example in the image above, when the user clicks on popularshoppingsite[.]com, it is seen that the address of the user is actually visited, and the email address of the user in the email parameter. Even if the user does not enter his / her password on the phishing page, it means that the link in the mail is accessed when this address is reached and the attacker understands that this user is valid. It can increase the success rate of the attack it will carry out by doing social engineering attacks over the users that are valid in the attacks it will carry out later. For this reason, it is necessary to change the information such as e-mail address before accessing the addresses.

You can examine suspicious files and websites in sandbox environments. When you examine the files in these environments, you remove the risk of infecting your computer with malware. Many sandbox services / products are available. These products / services are available for paid and free use. You can choose one / more of these services according to your needs. 

A few commonly used sandboxes: 

  • VMRay 
  • Cuckoo Sandbox 
  • JoeSandbox 
  • AnyRun 
  • Hybrid Analysis(Falcon Sandbox)

The fact that there are no urls and files in the mail does not mean that this is not harmful. The attacker can also send it as a picture so as not to get caught up in the analysis products.

Additional Techniques 

Another technique that attackers use is to perform phishing attacks using normally legal sites. Some of them are as follows. 

Using services that offer Cloud Storage services such as Google and Microsoft 

  • Attackers try to click on Google / Microsoft drive addresses that seem harmless to the user by uploading harmful files onto the drive. 

Using services that allow creating free subdomains such as Microsoft, Wordpress, Blogspot, Wix 

  • Attackers try to deceive security products and analysts by creating a free subdomain from these services. Since whois information cannot be searched as a subdomain, it can be seen that these addresses were taken in the past and belongs to institutions such as Microsoft, Wordpress.

Form applications 

  • Services are available that allow free form creation. Attackers use these services instead of creating a fishing site themselves. Since the domain is harmless under normal conditions, it can pass on to the user without getting stuck on antivirus software. Google Form is an example of these services. When looking at whois information, the domain can be seen to be Google, so the attacker can mislead analysts.

If you find my articles enjoyable, I invite you to subscribe to my Newsletter. 

By subscribing, you'll stay updated with my latest content and receive valuable information directly in your inbox. 

Don't miss out on this opportunity! 

Enter your email address below to SUBSCRIBE. 

Rest assured, My Newsletter is free and spam-free.