Email Security Analysis
A Walkthrough of analyzing an Email for Phishing
In this post, I wanted to go over in more detail how to examine an email and determine if it is malicious.
As an old saying goes “an ounce of prevention is worth a pound of cure” , we could say “an ounce of Prevention is worth a pound of Detection”, but we can discuss how to better protect your email in a later post.
What’s great about these following tips is that you don’t need any special tools or software for them.
Things to analyze in a suspicious email
Suspicious Language
Link Analysis
Reading the headers
Suspicious Language and Keywords
Oftentimes there are certain words that almost no legitimate email will use.
If you’re seeing language such as “dear sir” or “immediately upgrade..” or
“your account will be revoked”, unless you do this one thing, there’s a high chance this is phishing and there’s little need to go further.
If there’s no low hanging fruit such as this, we can proceed with the next 2 methods to spot phishing.
Link Analysis
Most phishing attempts nowadays will come in the form of links. Ask yourself the following questions.
When you hover over the link, does it match where it says it’s going to?
Are there any typos or unexpected domains?
Gut feeling: does this look right?
Google it without accessing the domain.
For example in the email above, hovering over the link shows coatpurple[.]com typing site:coatpurple[.]com will return results without going to the actual site.
In any event, you’ll be able to see if the search results are associated with any malware or phishing scams.
You can also run it under a domain analysis tool such as VirusTotal or Urlscan. Here, you’ll see if the Security community has already looked at this domain or URL.
Things to look for here are
Newly registered domains
Newly updated domains
Community comments or intel
Linked to any known phishing
Reading the Headers
To be more thorough you can look at the email headers for analysis.
To do this in gmail, select “Show Original”
For Yahoo, select “View raw message”.
For Apple Mail, select View > Message > All Headers
Read these from bottom to top (just trust me bro).
Alright, the reason why you would read these bottom to top is because this follows the “route” that the email took to get to your inbox. By following it, you can see if the email route makes sense.
Specifically, look at the From: field to verify the sender, and the Received: field to follow the route.
It’s actually fairly simple to forge the sender's name, which is why we want to analyze these in the actual headers, where we will see the full route of the email.
As you can see in this example, the Received: field gives the IP address as well as the sender domain. The next Received going up the route, mentions the SPF (Sender Policy Framework) record, and the DMARC policy and it then going to coatpurple[.]com
These policies will tell the email receiver what to do if neither of the authentication methods passes, such as to reject the message (as shown here) or quarantine it.
You can do all of this with your mail client. Of course, you could use tools like MxToolbox or Sublime Security, but a lot of times are not needed on a personal level.
What I Read This Week
Despite warnings, hospitals have adopted hallucination-prone AI Transcription tools for patient visits.
SELinux rules and bypasses. (But mainly bypasses)
FIDO published a working draft of New Specs for Enhanced UX for Passkeys
Wrapping Up
In this post, We went over link analysis and header analysis.
These are some of the tactical ways you can better defend yourself when it comes to your email, no specialty tools needed.
Some resources to learn more about this
I hope this helps in determining for yourself what is a phishing email when you see one.
We’ll cover a more proactive approach in a future post.