We covered phishing attacks, how they work, components of a phishing email, components of phishing infrastructure, phishing assessment tools such as Gophish and SET and how to stay guarded and protected from phishing attacks. This video used the lab material from TryHackMe room named phishing and part of the red team track.

We also covered practical phishing email analysis scenarios using PhishTool and Any.run. The first scenario we analyzed an email pretending to becoming from Netflix and the other two scenarios contained malicious attachments that performed calls to malicious servers and dns names. This was part of TryHackMe Phishing Analysis Tools.

We also went over a practical email phishing analysis scenario using Thunderbird. We highlighted specific areas for analysis such as the sender email, return-path, sender domain, SPF records, originating IP address and the email attachment. We found the email attachment to be malicious by analyzing it using VirusTotal. Addtionally the email contained grammatical errors and was addressed to a general recipient. That was part of TryHackMe Greenholt Phish.

Understanding and Assessing Phishing Attacks

I recently delved into the world of phishing attacks, covering their definition, various components, the infrastructure they rely on, how to assess them, and crucial protection measures.

What Phishing Attacks Are

I learned that phishing attacks are a form of social engineering 🎣. Social engineering involves using psychological methods to extract information from people by exploiting their weaknesses. While phishing relies on technology, it heavily leverages human vulnerabilities.

The psychological methods often seen in phishing emails include:

  • Urgency: Creating a sense of immediate need, like claiming an account is compromised or blocked, to pressure the recipient into clicking a link to “solve” the problem.
  • Greed: Luring users with promises of benefits such as rewards, coupons, discounts, or giveaways if they click a link or provide information.

In essence, a phishing attack is a social engineering attack that uses email to harvest user information or infect computers.

Types of Phishing

I explored two main types of phishing:

  • Spear Phishing: This targets a specific individual, often using personalized information to make the email appear more legitimate and convincing.
  • Mass Phishing: This targets a large number of people indiscriminately, hoping that a percentage will fall for the scam.

Components of a Phishing Email

I broke down the key elements of a phishing email:

  • Sender Address: This is critical for credibility. For spear phishing, attackers might mimic a target’s company domain (e.g., julian@x.com for someone at x.com). Attackers often spoof the sender address to make it look legitimate.
  • Email Subject: This typically employs psychological tricks like urgency or greed (e.g., “Your account has been blocked,” “Here’s a giveaway”).
  • Email Content: The body of the email aligns with the subject. If the goal is to harvest information, it will include a link to a fake login page. If the goal is to infect a computer, it will contain an attachment (e.g., a fake bill) designed to install malware.

Infrastructure for Phishing Attacks

I also covered the infrastructure attackers need to set up a phishing campaign:

  • Domain Name: Attackers buy domain names that look legitimate. Techniques include typo squatting (using similar-looking domains like gooogle.com instead of google.com) or buying expired domains that might have a good reputation to avoid spam filters.
  • SSL Certificate: This is used to make the fake landing page appear secure with https.
  • Email Hosting: To create and send emails from the purchased domain name.
  • Web Hosting: To host the fake landing page.
  • Analytics Platform (Optional): Used to track who opened emails, clicked links, or downloaded attachments, especially useful in red team engagements.

Phishing Assessment

I discussed how red teamers or penetration testers conduct phishing assessments to test an organization’s security awareness and culture. This involves sending simulated phishing emails to employees and monitoring their actions.

Tools commonly used for phishing assessments include:

  • Social Engineering Toolkit (SEToolkit): This comes pre-installed in Kali Linux.
  • GoPhish: A powerful framework that I demonstrated in the video, which helps manage all components of a phishing campaign.

How to Protect from Phishing Attacks

I emphasized that awareness is the best defense against phishing attacks. Key protection measures include:

  • Verify Sender Address: Always carefully check the sender’s email address and domain name for subtle differences or typos.
  • Be Cautious with Links and Attachments: Never click on links or open attachments from unrecognized senders or if the email seems suspicious.
  • I also recommended “The Art of Deception” by Kevin Mitnick for further insights into the psychological factors used by attackers.

GoPhish Framework Demonstration

I walked through a practical demonstration of using the GoPhish framework for a phishing campaign:

  • Sender Profile: I configured the sender’s email address and SMTP server details (e.g., no-reply@redteam.thm).
  • Landing Page: I created the fake page where users would be directed, either by pasting HTML code or importing an existing site. I enabled “Capture submitted data” and “Capture passwords.”
  • Email Template: I designed the content of the phishing email, including the subject and body, inserting a URL variable (e.g., {{.URL}}) for the phishing link.
  • User Groups (Targets): I defined the list of recipients, adding them manually or importing from a CSV.
  • Campaigns: I launched the phishing campaign by selecting the configured email template, landing page, redirection URL, sending profile, and target group.
  • Analytics (Dashboard): I showed how to monitor the campaign’s progress, including emails sent, opened, links clicked, and data submitted, and how to view captured credentials.

Examples of Identifying Phishing Emails

I went through several examples from a TryHackMe challenge to illustrate how to spot phishing attempts:

  • Example 1 (Google): An email from support@google.com with a link that textually appeared legitimate (myaccount.google.com), but the actual link (visible on hover) pointed to myaccount.gooogle-support.com. This was a phishing email due to the typo squatting in the domain.
  • Example 2 (Banking Group): An email from accounts@thebankinggroup.thm with a “Finance report” link pointing to bankinggroup.shared-hosting.thm. This was a phishing email due to the suspicious link domain and a subtle misspelling in the sender’s domain (thebanknggroup.thm).
  • Example 3 (TryHackMe): An email from no-reply@tryhackme-support.thm with a link pointing to the legitimate tryhackme.com. This was considered safe in the context of the challenge.
  • Example 4 (Acme IT Support): An email from accounts@acmeitsupport.thm with a PDF attachment. Since the sender was unknown and attachments can contain malware, I treated it as phishing, advising against trusting PDF attachments from untrusted or unexpected sources.

Finally, I showed how the GoPhish dashboard displays analytics, allowing me to view captured usernames and passwords from users who fell for the simulated attack.

Room Answers | TryHackMe Phishing

What type of psychological manipulation is phishing part of?
 

What type of phishing campaign do red teams get involved in?

What tactic can be used to find brands or people a victim interacts with?
 

What should be changed on an HTML anchor tag to disguise a link?

What part of a red team infrastructure can make a website look more authentic?
 

What protocol has TXT records that can improve email deliverability?

 

What tool can automate a phishing campaign and include analytics?

What is the password for Brian?
Do droppers tend to be malicious?
What is better, using an expired or new domain? (old/new)
 

What is the term used to describe registering a similar domain name with a spelling error?

What can Microsoft Office documents contain, which, when executed can run computer commands?
Which recent CVE caused remote code execution?
What is the flag from the challenge?
 

Room Answers | TryHackMe Phishing Analysis Fundamentals

Email dates back to what time frame?
What port is classified as Secure Transport for SMTP?
 

What port is classified as Secure Transport for IMAP?

 

What port is classified as Secure Transport for POP3?

What email header is the same as “Reply-to”?

 

Once you find the email sender’s IP address, where can you retrieve more information about the IP?

In the above screenshots, what is the URI of the blocked image?
 

In the above screenshots, what is the name of the PDF attachment?

 

In the attached virtual machine, view the information in email2.txt and reconstruct the PDF using the base64 data. What is the text within the PDF?

What trusted entity is this email masquerading as?

 

What is the sender’s email?

 

What is the subject line?

 

What is the URL link for – CLICK HERE? (Enter the defanged URL)

What is BEC?
 

Room Answers | TryHackMe Phishing Analysis Tools

What is the official site name of the bank that capitai-one.com tried to resemble?

How can you manually get the location of a hyperlink?
Look at the Strings output. What is the name of the EXE file?

What brand was this email tailored to impersonate?

 

What is the From email address?

 
What is the originating IP? Defang the IP address.
 

From what you can gather, what do you think will be a domain of interest? Defang the domain.

 

What is the shortened URL? Defang the URL.

What does AnyRun classify this email as?
 

What is the name of the PDF file?

 

What is the SHA 256 hash for the PDF file?

 

What two IP addresses are classified as malicious? Defang the IP addresses. (answer: IP_ADDR,IP_ADDR)

 

What Windows process was flagged as Potentially Bad Traffic?

What is this analysis classified as?
 

What is the name of the Excel file?

 

What is the SHA 256 hash for the file?

 

What domains are listed as malicious? Defang the URLs & submit answers in alphabetical order. (answer: URL1,URL2,URL3)

 

What IP addresses are listed as malicious? Defang the IP addresses & submit answers from lowest to highest. (answer: IP1,IP2,IP3)

 

What vulnerability does this malicious attachment attempt to exploit?

Room Answers | TryHackMe Phishing Emails in Action

What phrase does the gibberish sender email start with?
noreply
What is the root domain for each URL? Defang the URL.
devret[.]xyz
This email sample used the names of a few major companies, their products, and logos such as OneDrive and Adobe. What other company name was used in this phishing email?
citrix
What should users do if they receive a suspicious email or text message claiming to be from Netflix?
forward the message to phishing@netflix.com
What does BCC mean?
Blind Carbon Copy
What technique was used to persuade the victim to not ignore the email and act swiftly?
Urgency
What is the name of the executable that the Excel attachment attempts to run?
regasms.exe

Room Answers | TryHackMe Phishing Prevention

Referencing the dmarcian SPF syntax table, what prefix character can be added to the “all” mechanism to ensure a “softfail” result?

~

What is the meaning of the -all tag?

fail
 
Which email header shows the status of whether DKIM passed or failed?
Authentication-Results
Which DMARC policy would you use not to accept an email if the message fails the DMARC check?
p=reject
What is nonrepudiation? (The answer is a full sentence, including the “.”)
The uniqueness of a signature prevents the owner of the signature from disowning the signature.

What Wireshark filter can you use to narrow down the packet output using SMTP status codes?

Correct Answer: smtp.response.code

Per the network traffic, what was the message for status code 220? (Do not include the status code (220) in the answer)

Correct Answer: <domain> service ready

One packet shows a response that an email was blocked using spamhaus.org. What were the packet number and status code? (no spaces in your answer)

Correct Answer: 156,553

Based on the packet from the previous question, what was the message regarding the mailbox?

Correct Answer: mailbox name not allowed

What is the status code that will typically precede a SMTP DATA command?

Correct Answer: 354

What port is the SMTP traffic using?

Correct Answer: 25

How many packets are specifically SMTP?

Correct Answer: 512

What is the source IP address for all the SMTP traffic?

Correct Answer: 10.12.19.101

What is the filename of the third file attachment?

Correct Answer: attachment.scr

How about the last file attachment?

Correct Answer: .zip

Per MITRE ATT&CK, which software is associated with using SMTP and POP3 for C2 communications?

Correct Answer: Zebrocy

Room Answers | TryHackMe Phishing Prevention

What is the Transfer Reference Number listed in the email’s Subject?
 

Who is the email from?

 

What is his email address?

 
What email address will receive a reply to this email?
 

What is the Originating IP?

 

Who is the owner of the Originating IP? (Do not include the “.” in your answer.)

 

What is the SPF record for the Return-Path domain?

 

What is the DMARC record for the Return-Path domain?

 

What is the name of the attachment?

 

What is the SHA256 hash of the file attachment?

 

What is the attachments file size? (Don’t forget to add “KB” to your answer, NUM KB)

 

What is the actual file extension of the attachment?

 

Video Walkthrough

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles