We covered the first part of Phishing Email Analysis with PhishTool. We demonstrated key areas to consider when analyzing an email and use the collected artifacts for threat intelligence. This was part of TryHackMe Threat Intelligence Tools Room.
Certified Security Blue Team Level 1 Study Notes
What is Threat Intelligence
Threat Intelligence is the analysis of data and information using tools and techniques to generate meaningful patterns on how to mitigate against potential risks associated with existing or emerging threats targeting organisations, industries, sectors or governments.
To mitigate against risks, we can start by trying to answer a few simple questions:
- Who’s attacking you?
- What’s their motivation?
- What are their capabilities?
- What artefacts and indicators of compromise should you look out for?
PhishTool Overview
- Dashboard:
- Displays recent analysis results.
- Shows resolved cases, including whether emails are malicious or safe.
- Visualizes data trends from analyzed samples.
- Analysis Section:
- Upload email files in formats like
.emlor plain text. - Analyze headers, URLs, attachments, and email structure.
- Upload email files in formats like
- History:
- Logs past submissions and analysis results for reference.
- Enterprise Features:
- Integrates with platforms like Microsoft 365 and Google Workspace.
- Offers advanced collaboration features for larger organizations.
Key Features of PhishTool
- Headers:
- Displays sender, recipient, and server information.
- Highlights anomalies like mismatched domains.
- URLs:
- Extracts and lists all links in the email.
- Enables safe inspection of malicious links.
- Attachments:
- Scans files for malware or harmful scripts.
- Received Lines:
- Tracks email hops through SMTP servers.
Email Analysis Steps
- Setup:
- Emails are extracted from email clients like Thunderbird or Outlook.
.emlfiles are uploaded to PhishTool for analysis.
- Sample 1: LinkedIn Phishing Email:
- Visual Inspection:
- The email mimics LinkedIn’s branding, including a logo, colors, and notification layout.
- A button prompts the victim to click and log in.
- Header Analysis:
- The sender’s domain differs from LinkedIn’s actual domain.
- The originating IP address and domain point to a malicious server.
- URL Inspection:
- The email contains a link leading to a non-LinkedIn domain.
- PhishTool displays the link details without requiring a user to click.
- Conclusion:
- Classified as phishing for credential harvesting.
- Artifacts include the sender domain, return path, and phishing URL.
- Visual Inspection:
- Sample 2: Invoice Phishing Email:
- Content:
- Claims to be from a financial advisor or department.
- Contains an attachment labeled as an invoice.
- Header Inspection:
- The sender email and domain are inconsistent with the claimed source.
- Attachment Analysis:
- Attachments are flagged for potential malware delivery.
- Conclusion:
- Classified as phishing, targeting financial data or malware delivery.
- Content:
Threat Intelligence Classifications
Threat Intel is geared towards understanding the relationship between your operational environment and your adversary. With this in mind, we can break down threat intel into the following classifications:
- Strategic Intel: High-level intel that looks into the organisation’s threat landscape and maps out the risk areas based on trends, patterns and emerging threats that may impact business decisions.
- Technical Intel: Looks into evidence and artefacts of attack used by an adversary. Incident Response teams can use this intel to create a baseline attack surface to analyse and develop defence mechanisms.
- Tactical Intel: Assesses adversaries’ tactics, techniques, and procedures (TTPs). This intel can strengthen security controls and address vulnerabilities through real-time investigations.
- Operational Intel: Looks into an adversary’s specific motives and intent to perform an attack. Security teams may use this intel to understand the critical assets available in the organisation (people, processes, and technologies) that may be targeted.
How many domains did UrlScan.io identify?
What is the main domain registrar listed?
What is the main IP address identified?
Which malware is associated with the JA3 Fingerprint 51c64c77e60f3980eea90869b68c58a8 on SSL Blacklist?
From the statistics page on URLHaus, what malware-hosting network has the ASN number AS14061?
Which country is the botnet IP address 178.134.47.166 associated with according to FeodoTracker?
What social media platform is the attacker trying to pose as in the email?
What is the recipient’s email address?
What is the Originating IP address? Defang the IP address.
How many hops did the email go through to get to the recipient?
What is the customer name of the IP address?
From Talos Intelligence, the attached file can also be identified by the Detection Alias that starts with an H…
What malware family is associated with the attachment on Email3.eml?
Conclusion
- PhishTool Benefits:
- Simplifies the email analysis process.
- Helps identify phishing attempts without exposing the user to direct risks.
- Best Practices:
- Always inspect email headers and URLs for anomalies.
- Use dedicated tools like PhishTool to analyze suspicious emails.
