Danny's newsletter - Issue #10
Email Security Analysis
I wanted to go over in more detail how to examine an email and determine if it is malicious.
This is a continuation of this post on phishing How to Spot Phishing
What’s great about these tips is that you don’t need any special tools or software for them.
Things to analyze in a suspicious email
Link Analysis
Reading the headers (bottom to top)
Link Analysis
Most phishing attempts nowadays will come in the form of links. Ask yourself the following questions.
Gut feeling: does this look right?
When you hover over the link, does it match where it says it’s going to?
Are there any typos or unexpected domains?
Google it without accessing the domain. For example in the email above, hovering over the link shows coatpurple[.]com typing site:coatpurple[.]com and this will return results without the risk of going to the actual site.
You can also run it under a domain analysis tool such as VirusTotal or ThreatCrowd.
Reading the Headers
To be more thorough you can look at the email headers for analysis.
To do this in gmail select “Show Original” , for Yahoo do “View raw message”. Read these from bottom to top. The reason why you read these bottom to top is because this follows the “flow” the email took to get to your inbox. By following it, you can see if the email flow makes sense. Specifically, look at the From: field to verify the sender, and the Received: field to follow the route.
As you can see in this example, the Received: field gives the IP address as well as the sender domain. The next Received going up talks about the SPF(Sender Policy Framework) record and it then going to coatpurple[.]com
Wrapping Up
In this post, We went over link analysis and header analysis These are some of the tactical ways you can better protect yourself when it comes to your email.
I hope this helps in determining for yourself what is a phishing email when you see one.