Phishing Email Challenge by LetsDefend

In this writeup we will be analyzing a email to determine whether it was a phishing attempt or not. We will only use a mail client(You can use any you like) and avail Threat intel platforms like virustotal and cisco talos intelligence

Scenario

Analysis

I will open the mail file with microsoft outlook to show you that we can analyze it from any mail user agent.

This is what the original email looked like

We can translate the german to english by the microsoft translate button at right.

Q1 What is the return path of the email?

Return path of email is the email address to which your reply mail will go to. Often time the reply to mail address is different to the original sender mail.

Got to file menu and click properties

Now we must analyze mail headers to determine the return path.

I checked the smtp ip, the mail domain reputation but it all was clean which indicates that attacker just started a new phishing campaign. The reason i am confident that this is a phishing attack because we dont spot a single paypal domain reference in the header section and thats susupicous as the message is revolved around paypal account.

Answer : {bounce@rjttznyzjjzydnillquh.designclub.uk.com}

Q2 What is the domain name of the url in this mail?

If we hover over the big button , we can see the url to which we will be redirected.

Now from the surface we see a googleapi domain which seems legit and it is legit and used for providing api services . The domain is trusted on virustotal and cisco talos

But notice that the button takes us to a subdomain with a randomized named paths which seems a little bit odd. We will copy the whole url and search it on virustotal.

We immediately get hits and most probably this is a case of subdomain takeover or attacker gained a persistence on this subdomain . Then they used this legit domain name for their phishing campaign. This is called dns shadowing attack.

So the answer will be the domain name

Answer : {storage.googleapis.com}

Q3 Is the domain mentioned in the previous question suspicious?

However if we see community reviews and comments, we can say that majority have found this to be a domain caught in phishing campaigns.

So we can say that this subdomain is suspicious as we already have established that this was a phishing attack.

Answer : {yes}

Q4 What is the body SHA-256 of the domain?

Answer {13945ecc33afee74ac7f72e1d5bb73050894356c4bf63d02a1a53e76830567f5}

Q5 Is this email a phishing email?

Answer {yes}

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store