Phishing Email Challenge by LetsDefend
In this writeup we will be analyzing a email to determine whether it was a phishing attempt or not. We will only use a mail client(You can use any you like) and avail Threat intel platforms like virustotal and cisco talos intelligence
Scenario
Your email address has been leaked and you receive an email from Paypal in German. Try to analyze the suspicious email.
Analysis
Unzipping the challenge package, we have an eml file which is an electronic message protocol and is commonly extensions of mail files. We can use online tools to help aid us in getting information regarding the mail but we will do it manually from an email client.
I will open the mail file with microsoft outlook to show you that we can analyze it from any mail user agent.
This is what the original email looked like
We can translate the german to english by the microsoft translate button at right.
Q1 What is the return path of the email?
Return path of email is the email address to which your reply mail will go to. Often time the reply to mail address is different to the original sender mail.
Got to file menu and click properties
Now we must analyze mail headers to determine the return path.
I checked the smtp ip, the mail domain reputation but it all was clean which indicates that attacker just started a new phishing campaign. The reason i am confident that this is a phishing attack because we dont spot a single paypal domain reference in the header section and thats susupicous as the message is revolved around paypal account.
Answer : {bounce@rjttznyzjjzydnillquh.designclub.uk.com}
Q2 What is the domain name of the url in this mail?
For next question we will see the actual message sent by attacker.
If we hover over the big button , we can see the url to which we will be redirected.
Now from the surface we see a googleapi domain which seems legit and it is legit and used for providing api services . The domain is trusted on virustotal and cisco talos
But notice that the button takes us to a subdomain with a randomized named paths which seems a little bit odd. We will copy the whole url and search it on virustotal.
We immediately get hits and most probably this is a case of subdomain takeover or attacker gained a persistence on this subdomain . Then they used this legit domain name for their phishing campaign. This is called dns shadowing attack.
So the answer will be the domain name
Answer : {storage.googleapis.com}
Q3 Is the domain mentioned in the previous question suspicious?
Now if we search the subdomain without the full path on virustotal, we get only 1 hit which may as well be false positive.
However if we see community reviews and comments, we can say that majority have found this to be a domain caught in phishing campaigns.
So we can say that this subdomain is suspicious as we already have established that this was a phishing attack.
Answer : {yes}
Q4 What is the body SHA-256 of the domain?
When we scan the domain on virustotal, we can find the body sha256 of the domain in details tab.
Answer {13945ecc33afee74ac7f72e1d5bb73050894356c4bf63d02a1a53e76830567f5}
Q5 Is this email a phishing email?
We can safely say that this was a phishing email , deducing from our analysis above
Answer {yes}
