How to spot and analyse a malicious Email
Malicious emails, phishing emails in particular; are one of the greatest threats in cyber security. They target not only large enterprises, but also small business, individuals and everyone in between.
The reason for this lies in their simplicity. Along with the methods attackers use to trick users into opening attachments, entering personal details and clicking on malicious links.
First lets go through common things to look out for which will help you spot malicious or suspicious emails. Then I will guide you a few examples of emails and how to analyse them in depth.
How to spot a malicious email
There are a number of things you can look for to spot malicious emails. Most of these are fairly simple as long as you follow this tip. PAY ATTENTION. This might sound obvious, but the majority of phishing emails are clicked on by users who simply aren’t paying attention. Whether this is due to tiredness, burnout or being distracted. Any time you get an email look at it for the following things and follow these tips.
Spelling Mistakes / Bad Grammar
The first and most obvious sign an email may be suspicious is spelling mistakes. A legitimate company will not make many spelling mistakes or grammatical errors. If there are a lot of spelling of spelling mistakes or if sentences don’t make sense, this should arouse suspicion. Look at the email below and the attachment name – Reveision.pdf – this is a very obvious example however more common than you may think.
The below is a very bad attempt at phishing and a very obvious example which has more wrong with it than just the spelling.
From / To Email Addresses
As we can see in the above example, the From address at first look is email@example.com. However next to it we can see that it is really a blatantly suspicious sender (firstname.lastname@example.org) If the Display Name – in this case email@example.com does not match the sender address next to, then this another dead give away that the email is malicious.
Also attackers can be smart and try to make the From field appear legitimate. They do this by using thing such as “Paypal@hotmail.com” and Google@gmail.com. Be extremely careful if the email follows this format – company@personalemail.* as these are never legitimate.
Attackers can be very smart and spoof legitimate email addresses – called ‘Email Spoofing’ so you cannot always believe that it is legitimate, however it is a nice check to do quickly. I will cover how to spot email spoofing further down in the header analysis section.
Another thing to check is the To field is firstname.lastname@example.org. The email was in fact sent to myself and not the above address, so this again highlights that the email suspicious. The attacker is this case used that field to try and add more legitimacy to the email to trick me.
Next up, random attachments. Most legitimate companies will not randomly send you random attachments. Unless you are a technical user I do not recommend trying to check if the attachment is malicious or not. Instead, if you are unsure if the attachment is legitimate or not, then contact the company via their official contact page. If you cannot get a definitive answer telling you otherwise, then delete the email. Lots of malicious emails with random attachments will also have other suspicious characteristics I am mentioning here.
The email also contains something else we can look out for – the language and words being used.
Language and words being used
In the screenshot above we can see the attackers using a commonly seen theme of fear and urgency.
“Your purchases will automatically renew unless you turn it off no later than 48 hours.” They are doing this through telling victims that firstly, another payment will be taken. This is designed to trigger a fear in victims, as in this case they will not want another 34.96 taken from their account. Any email that is deliberately installing fear in you should arouse suspicion.
Secondly, how the email states “No later than 48 hours” This is trying to make the victim worry and rush into clicking on attachments or links. Any email content which sets a strict deadline on you to perform a task (Enter details, click a link, open attachment etc) should make you question its legitimacy.
Another tactic commonly used by attackers in malicious emails is offering you something. Look at the above email – sounds a bit too good to be true? That’s because it is. Any email which appears to be offering you large sums of money, a prize or anything else should be treated with caution. Unless you have entered a competition and the email is legit then you really shouldn’t action these emails – delete them straight away. Don’t respond to the mail and don’t click on any links.
Also be aware if you receive any emails where the content relates to a recent event – such as Covid-19. Attackers sadly prey on events like this to try and trick users into clicking links, sending personal information etc. The below email is a very poor attempt at it however there are also very convincing attempts out there. Just take extra caution when you receive any emails with content relating to a recent event or subject.
Not addressing you by name
Another way to spot suspicious emails is when the email does not greet you by name or use any other identifying details. Look above, “Dear client” – a legitimate Paypal email would never use this. Just a small thing to be aware of, but if a company usually greats you in a certain way and the email doesn’t match that – it is usually a red flag. At the bottom of the email we can also see a Verify to Paypal button – which is likely to be malicious – lets take a look.
These can come in many forms and shapes in malicious emails. Lets start with above where the link is embedded in a logo, a very common tactic to hide its true purpose. Hovering over the link shows me it is instead https(:)//earlyjamessingingmysupper(.)com/KNumxMC. As predicted, not Paypal but instead a hijacked site. You can just delete the email, or continue to see how to scan the link.
If you do find a malicious link and want to find out more, you can go further to find out what it is doing. The link above has already been taken down however lets use another example. Take a look at this link. URLscan is a very useful free site for scanning URLs to see what they really along with providing a screenshot of the site. This link was part of a similar email to above asking a user to login to PayPal to resolve an issue. We can quickly tell this is nothing to do with PayPal itself.
What to check
There are a number of things to check. The submitted and effective URL tells you what the connection appears to be, and where the connection really went. The screenshot will show you what the page does and the connections tab will show you all URLs, Domains and IPs which have been connected to. All of this information should give you a good picture if the link is legitimate or not. If you want to look into the link further, you can use a list of tools in my article here.
Within emails, the links may also be within a line of text or sometimes embedded within an image. Look out if you hover over an image and the whole image is a hyperlink. You will very rarely find this in legitimate emails however attackers use this to make it more likely for victims to click on them.
You should now be able to effectively spot all the common indicators of a malicious email. I am now going to go onto how to analyse an email header. This is necessary when a phishing email is more sophisticated, or if you want to learn more about the email such as IOCs (Indicators of Compromise)
How to analyse an email header
An email has two parts. The part everyone sees and knows is called the body, this is what it sounds like – the details in the email such as the message and any included data. Then there is the header.
This first off is the subject line, recipient and header. However it also includes all the background metadata of how the email was sent. Lets get into how to view and email header and the useful metadata for us when analysing an email.
To do this, we are going to use MXToolbox. It is a fantastic free site for analysing emails and it also has a useful guide on “How to Get Email Headers” Before going any further, take a read of this and understand how to view the email header on your platform of choice. Right now, into actually analysing a header.
Firstly, take the header and copy into the MXToolbox Email Header Analyzer and hit Analyze header. This is going to give a lot of information but there are some things we can concentrate on.
Time to Analyse!
Relay Information. This field takes data from the “Recieved” section of the header and is very important. It shows us the path the email took for the sender till it reached the recipients mailbox. The reason for its importance is it shows us where the email really came from. See how I mentioned emailing spoofing earlier? Well this is the best way to check for it. The From field can be spoofed so easily that it is always important to check where an email really came from. This is worth checking in combination with the next point – SPF checks.
Any IPs or Domains which are found using this can be checked using tools listed here.
It is also worth noting the time the email took to reach you. If it took a long time after sending, this could be a good indicator of spam or advertising.
Authentication Methods (SPF / DKIM)
Recieved SPF. SPF – Sender Policy Framework (SPF) is an email authentication method which allows domains to specify which mailservers can send mail on their behalf. If this field shows as SoftFail or Fail it can be an indicator of a spoofed or suspicious email. This can have some false positives however as some companies do not keep their SPF records up to date.
DKIM. This isn’t always pulled out well by mxtoolbox so just do a CTRL+F on DKIM and look inside the header. DKIM (DomainKeys Identified Mail) is a method to validate the authenticity of email messages. When each email is sent, it is signed using a private key and then validated on the receiving mail server (or ISP) using a public key in DNS. This process verifies that the message was not altered during transit.
Most large enterprises should now have this set up and enabled and the field should show as Pass. If not, it either indicates the email has been tampered with, or the organisation does not have DKIM set up.
Return Path. Used by mail servers to know where to send an email if the email bounces or is blocked and is not allowedr. In most cases this should match the sender mail, if it doesn’t it is likely either an advertising or malicious email.
Reply To. This field should always really be the same as the From address. If it isn’t, it is possible the attacker has modified the field to try and make the appear look more legitimate.
X-Distribution. If this field shows as “Bulk” then it is highly likely the email is either Spam or Advertising.
X-Spam. This field gives the email a “Spam score”. It is added to most emails as an indication of the likelyhood of the sender being known for spam and is used by many mail gateways to filter mail. <5 = clean, >5 = possibly spam and >15 is definitely spam.
Combining both sections of this post, you should now be able to spot and analyse any emails which come into your mailbox. If you have any questions about this article or anything else on my site contact me at https://twitter.com/blueteamblog