AoC 2022 Day 6: Analyzing Emails
What is Email Analysis?
Extracting email header data to reveal email file details is the process of email analysis. The email’s technical information, including the sender, receiver, path, return address, and attachments, is contained in the header. Usually, these details are sufficient to assess whether the email contains anything unusual or suspicious and to determine whether to filter, quarantine, or deliver the email. Both physical labor and the use of machines are viable options for this operation.
There are two main concerns in email analysis.
- Security issues: Identifying suspicious/abnormal/malicious patterns in emails.
- Performance issues: Identifying delivery and delay issues in emails.
Before focusing on the hands-on email analysis, you will need to be familiar with the terms “social engineering” and “phishing”.
- Social engineering: Social engineering is the psychological manipulation of individuals into giving information or executing actions by preying on flaws in the human condition. Curiosity, resentment, greed, kindness, and the desire to assist others are just a few examples of these “weaknesses.”
- Phishing: Phishing is a sub-section of social engineering delivered through email to trick someone into either revealing personal information and credentials or executing malicious code on their computer.
The majority of the time, phishing emails will seem to be from a reputable source, such as a person or company. They include content that tries to tempt or trick people into downloading software, opening attachments, or following links to a bogus website.
Does the Email Analysis Still Matter?
Yes! Phishing attacks are still quite prevalent, successful, and challenging to spot, according to several academic studies and technical publications. Additionally, it is a component of red teaming and penetration testing implementations (paid security assessments that examine organizational cybersecurity). As a result, being proficient in email analysis is still a valuable talent. Email analysis is now facilitated and accelerated by several tools and technology. When there isn’t money for automated solutions, a professional analyst should be able to perform a manual analysis. It is a useful skill for both individuals and IT/security professionals!
Important Note: In-depth analysis requires an isolated environment to work. It is only suggested to download and upload the received emails and attachments if you are in the authorized team and have an isolated environment. Suppose you are outside the corresponding team or a regular user. In that case, you can evaluate the email header using the raw format and conduct the essential checks like the sender, recipient, spam score, and server information. Remember that you have to inform the corresponding team afterward.
How to Analyse Emails?
Before learning how to conduct an email analysis, you need to know the structure of an email header. Let’s quickly review the email header structure.
Field | Details |
From | The sender’s address. |
To | The receiver’s address, including CC and BCC. |
Time stamp | Timestamp, when the email was sent. |
Subject | The subject of the email. |
Return Path | The return address of the reply, a.k.a. “Reply-To”.
If you reply to an email, the reply will go to the address mentioned in this field. |
Domain Key and DKIM Signatures | Email signatures are provided by email services to identify and authenticate emails. |
SPF | Shows the server that was used to send the email.
It will help to understand if the actual server is used to send the email from a specific domain. |
Message-ID | Unique ID of the email. |
MIME-Version | Used MIME version.
It will help to understand the delivered “non-text” contents and attachments. |
X-Headers | The receiver mail providers usually add these fields.
Provided info is usually experimental and can be different according to the mail provider. |
X-Received | Mail servers that the email went through. |
X -Spam Status | Spam score of the email. |
X-Mailer | Email client name. |
Important Email Header Fields for Quick Analysis
Analyzing multiple header fields can be confusing at first glance, but starting from the key points will make the analysis process slightly easier. A simple process of email analysis is shown below.
Questions to Ask / Required Checks |
Evaluation
|
Do the “From”, “To”, and “CC” fields contain valid addresses? | Having invalid addresses is a red flag. |
D o the “From” and “To” fields are the same? | Having the same sender and recipient is a red flag. |
Do the “From” and “Return-Path” fields are the same? | Having different values in these sections is a red flag. |
Was the email sent from the correct server? | Email should have come from the official mail servers of the sender. |
Does the “Message-ID” field exist, and is it valid? | Empty and malformed values are red flags. |
Do the hyperlinks redirect to suspicious/abnormal sites? | Suspicious links and redirections are red flags. |
Do the attachments consist of or contain malware? | Suspicious attachments are a red flag.
File hashes marked as suspicious/malicious by sandboxes are a red flag. |
You’ll also need an email header parser tool or configure a text editor to highlight and spot the email header’s details easily. The difference between the raw and parsed views of the email header is shown below.
Note: The below example is demonstrated with the tool “Sublime Text“.
You can use Sublime Text to view email files without opening and executing any of the linked attachments/commands. You can view the email file in the text editor using two approaches.
- Right-click on the sample and open it with Sublime Text.
- Open Sublime Text and drag & drop the sample into the text editor.
If your file has a “.eml” or “.msg” extension, the sublime text will automatically detect the structure and highlight the header fields for ease of readability. Note that if you are using a “.txt” or any other extension, you will need manually select the highlighting format by using the button located at the lower right corner.
Text editors are helpful in analysis, but there are some tools that can help you to view the email details in a clearer format. In this task, we will use the “emlAnalyzer” tool to view the body of the email and analyse the attachments. The emlAnalyzer is a tool designed to parse email headers for a better view and analysis process. The tool can show the headers, body, embedded URLs, plaintext and HTML data, and attachments. The sample usage query is explained below.
Query Details | Explanation |
emlAnalyzer | Main command |
-i | File to analyse -i /path-to-file/filename Note: Remember, you can either give a full file path or navigate to the required folder using the “cd” command. |
–header | Show header |
-u | Show URLs |
–text | Show cleartext data |
–extract-all | Extract all attachments |
Sample usage is shown below. Now use the given sample and execute the given command.
dessy@virtualmachine$ emlAnalyzer -i Urgent\:.eml --header --html -u --text --extract-all
At this point, you should have completed the following checks.
- Sender and recipient controls
- Return path control
- Email server control
- Message-ID control
- Spam value control
- Attachment control (Does the email contains any attachment?)
Additionally, you can use some Open Source Intelligence (OSINT) tools to check email reputation and enrich the findings. Visit the given site below and do a reputation check on the sender address and the address found in the return path.
- Tool:
https://emailrep.io/
If you come across any suspect URLs or IP addresses here, you might want to use some OSINT tools to look into them further. While Virustotal and InQuest will be our primary tools, having comparable and alternative services in the analyst toolbox is worthwhile and advantageous.
Tool | Purpose |
VirusTotal | A service that provides a cloud-based detection toolset and sandbox environment. |
InQuest | A service provides network and file analysis by using threat analytics. |
IPinfo.io | A service that provides detailed information about an IP address by focusing on geolocation data and service provider. |
Talos Reputation | An IP reputation check service is provided by Cisco Talos. |
Urlscan.io | A service that analyses websites by simulating regular user behaviour. |
Browserling | A browser sandbox is used to test suspicious/malicious links. |
Wannabrowser | A browser sandbox is used to test suspicious/malicious links. |
You can move on to the body and attachment analysis after completing the aforementioned preliminary inspections. Let’s concentrate our attention for now on the email body and attachments. There are no URLs in the example; there is only an attachment. In order to carry out file-based reputation checks and continue your study, you must determine the file’s value. The hash value of the file can be determined using the sha256sum tool or utility, as shown below.
dessy@ubuntu$ sha256sum Division_of.... 0827bb9a….
Note: Remember to navigate to the file’s location before attempting to calculate the file’s hash value.
Once you get the sum of the file, you can go for further analysis using the VirusTotal.
- Tool:
https://www.virustotal.com/gui/home/upload
Now, visit the tool website and use the SEARCH
option to conduct hash-based file reputation analysis. After receiving the results, you will have multiple sections to discover more about the hash and associated file. Sections are shown below.
- Search the hash value
- Click on the
BEHAVIOR
tab. - Analyse the details.
After that, continue on reputation check on InQuest to enrich the gathered data.
- Tool:
https://labs.inquest.net/
Now visit the tool website and use the INDICATOR LOOKUP
option to conduct hash-based analysis.
- Search the hash value
- Click on the SHA256 hash value highlighted with yellow to view the detailed report.
- Analyse the file details.
After finishing the shown steps, you are finished initial email analysis. The next steps are creating a report of findings and informing the team members/manager in the appropriate format.
IMPORTANT NOTES:
- Given email sample contains a malicious attachment.
- Never directly interact with unknown email attachments outside of an isolated environment.