Chapter 1 : Investigating Email Threats
This chapter of focuses on email threats, one of the most common attack vectors in cybersecurity. Attackers frequently use emails to gain initial access to
Last updated
This chapter of focuses on email threats, one of the most common attack vectors in cybersecurity. Attackers frequently use emails to gain initial access to
Last updated
Note : All Screenshots In This Blog Is From The Book , So You Can Trace Them If You Read From The Book Align With This Blog.
Email remains one of the most exploited attack vectors in cybersecurity. Cybercriminals often use malicious emails as the first step to gain access to a target environment. In this chapter, we explore email-based cyber threats, attacker tactics, evasion techniques, and the methodologies used to investigate suspicious emails.
Cyber attackers use multiple methods to gain initial access to their targets, including:
Phishing Emails
Exploiting Public-Facing Applications
Drive-by Compromise
Stealing Remote Credentials (VPN, RDP, etc.)
According to the IBM Security X-Force Report, 41% of initial access attempts by attackers originate from phishing emails. This highlights the importance of understanding phishing tactics and implementing strong email security measures.
Phishing emails remain one of the most widely used techniques for attackers to gain initial access to victim environments. According to IBM Security X-Force Threat Intelligence Index 2022, 41% of cyberattacks begin with phishing emails. This is because phishing allows attackers to bypass traditional security measures and directly manipulate human psychology.
Let’s break down the reasons why phishing is a preferred attack vector:
One of the key reasons attackers prefer phishing is that email addresses are easy to obtain. Attackers use multiple methods to harvest email addresses of potential victims, including:
Attackers can gather email addresses from sources like:
Company Websites – Many organizations publish employee emails on their websites.
Social Media (LinkedIn, Facebook, Twitter, etc.) – Employees often list their work email addresses on LinkedIn.
Job Postings – Websites like Indeed or Glassdoor often contain recruiter or HR contact emails.
Conference Speaker Lists & Event Registrations – Cybercriminals scrape email lists from online conferences or company event sign-ups.
Data breaches on other websites often expose corporate emails.
Cybercriminals buy leaked email databases from dark web forums.
Marketing databases (e.g., ZoomInfo.com, spam lists) may include legitimate employee emails.
📌 Example: In a real-world attack, an attacker obtained employee emails from LinkedIn and used them to send targeted phishing emails disguised as HR announcements.
Once attackers collect email addresses, delivering malware via email is fast and efficient.
Attackers can upload malware to legitimate cloud services (e.g., Google Drive, Dropbox, OneDrive).
They send an email with a download link or a malicious attachment (e.g., Microsoft Word files with macros).
Unlike network attacks, phishing doesn’t require finding software vulnerabilities.
Instead, attackers rely on social engineering to trick victims into clicking links or opening malicious files.
📌 Example: A phishing campaign targeted bank employees using a fake job offer email containing a malicious PDF. When opened, the PDF downloaded malware, giving the attacker remote access.
Unlike network-based attacks, phishing exploits human behavior instead of software vulnerabilities.
Many employees lack proper cybersecurity training and fall victim to phishing attempts.
Attackers craft emails that look urgent, realistic, and trustworthy, making people act without thinking.
Phishing emails often use psychological triggers to force victims into quick actions:
Technique
Example
Urgency & Fear
"Your bank account will be locked in 24 hours. Click here to verify!"
Curiosity
"New salary update from HR. Open the attached document."
Authority Impersonation
"CEO request: Please review this confidential report ASAP."
Financial Lure
"Congratulations! You've won a $500 Amazon gift card."
📌 Example: A CEO impersonation phishing email tricked an employee into transferring $250,000 to an attacker’s account.
Compared to other cyberattack methods, phishing is cheap and scalable:
Attackers can send thousands of emails for free using botnets or compromised mail servers.
Even if only a few victims fall for the phishing attack, the attack can be profitable.
Cybercriminals use ready-made phishing kits that automate:
Email delivery
Fake login page creation
Credential harvesting
📌 Example: A phishing-as-a-service (PhaaS) platform allows criminals to buy fully automated phishing campaigns for as little as $50/month.
Even advanced security solutions struggle to block phishing attacks because:
Hosting malicious files on Google Drive or Dropbox allows them to bypass email filters.
Security tools trust links from legitimate cloud services, making phishing emails hard to detect.
Attackers spoof email addresses to make emails look like they come from trusted sources (e.g., PayPal, Microsoft, FedEx).
Example: A phishing email may appear as support@paypal.com, but actually comes from support@paypa1.com (note the small letter change).
📌 Example: A spoofed FedEx email tricked customers into opening a malicious ZIP file disguised as a shipment notification.
Attackers use different phishing techniques depending on their target.
Phishing Type
Description
Spearphishing
Targeted emails sent to specific individuals (e.g., company executives, IT admins).
Whaling
Spearphishing attacks aimed at C-level executives.
Business Email Compromise (BEC)
Attackers impersonate CEOs or finance officers to steal money.
Credential Harvesting
Fake login pages steal passwords (e.g., Microsoft 365, Google).
Malware Delivery
Emails contain infected attachments (e.g., Excel macros, PDFs).
📌 Example: A spearphishing attack on a Fortune 500 company led to a ransomware infection, costing millions.
Phishing attacks provide attackers with anonymity, making it difficult to trace them.
Attackers create temporary email accounts using Gmail, Yahoo, or Outlook.
Once an attack is complete, they delete the email account, leaving no trace.
Attackers use infected computers (botnets) to send millions of phishing emails without revealing their real IP address.
📌 Example: A phishing campaign used the Emotet botnet to send hundreds of thousands of malicious emails globally.
Email threats come in many forms, ranging from malicious attachments to deceptive links and social engineering attacks. While phishing remains the most common email-based attack, attackers also use blackmail, business email compromise (BEC), and other advanced techniques to trick victims.
Attackers send emails with malicious attachments that contain malware or scripts to steal credentials, execute ransomware, or gain system access.
The attacker spoofs a trusted sender (e.g., HR, IT department, CEO).
The email contains an attachment that appears legitimate (e.g., "Invoice.pdf", "Project_Plan.docx").
When the victim opens the attachment, a macro, exploit, or script runs to execute malicious actions.
The attacker gains access to the victim’s machine or network.
Attackers use different file formats for phishing attachments, each with unique exploitation techniques.
Attachment Type
Attack Technique
Description
Microsoft Office Documents (.docx, .xlsx, .pptx)
Macro-Based Malware
Malicious VBA macros execute scripts when the document is opened.
PDF Files (.pdf)
Embedded JavaScript
Attackers embed malicious scripts that exploit PDF reader vulnerabilities.
Compressed Archives (.zip, .rar, .7z)
Hidden Executables
Victims extract and execute malware disguised as a harmless file.
ISO Files (.iso)
Disk Image Bypass
Windows automatically mounts ISOs, allowing attackers to bypass some security checks.
HTML Attachments (.html, .htm)
Phishing Forms
Directs users to a fake login page to steal credentials.
The attacker sends an email with a malicious Word document (e.g., “Invoice_12345.docm”).
The document prompts the victim to "Enable Macros".
Once enabled, the macro downloads and executes malware from an attacker’s server.
The attacker gains access to the victim’s system and steals credentials.
Instead of sending malicious attachments, attackers use deceptive links to trick victims into:
Entering credentials on a fake login page.
Downloading malware from an external server.
The attacker sends an email with a clickable link (e.g., "Click here to update your password").
The link redirects the victim to a fake login page or malware download site.
The victim enters credentials (which get stolen) or downloads a malicious file.
Phishing Link Type
Attack Strategy
Credential Harvesting
The link leads to a fake login page that mimics Microsoft 365, Google, or PayPal.
Malware Download
Clicking the link downloads ransomware, spyware, or trojans.
Redirects to Legitimate-Looking Domains
Attackers use trusted services (Google Sites, Firebase, Dropbox) to host phishing pages.
Hidden Links in QR Codes
QR codes in emails trick mobile users into visiting malicious pages.
The attacker spoofs an email from "Microsoft Security".
The email says: "Your account has been locked. Click here to verify your identity."
The link opens a fake Microsoft 365 login page (which looks real).
The victim enters their credentials, which get sent to the attacker.
The attacker now has full access to the victim’s email and corporate account.
Blackmail emails, also known as sextortion scams, threaten the victim with fake or stolen information to extort money.
The attacker sends an email claiming to have hacked the victim’s computer.
They claim to have recorded private activities (e.g., webcam footage, browser history).
They demand ransom (usually in Bitcoin) or threaten to release the data.
Victims panic and may send money, even if the claim is fake.
Technique
How It Works
Leaked Passwords from Data Breaches
Attackers include an old password from a breach to scare the victim.
Spoofing the Victim’s Email Address
The attacker forges the "From" address to make it seem like they hacked the victim’s account.
Fake Claims of Malware Infection
The email says the victim’s device was infected with malware that recorded their activity.
Subject: "Your Device Has Been Compromised – Pay $1,000 to Avoid Exposure"
The email fakes the sender’s address (so it looks like it came from the victim's own email).
It claims: "We recorded you through your webcam and will release the footage unless you send 0.5 BTC to this wallet."
In reality, the attacker has no actual access, but some victims pay out of fear.
BEC attacks involve cybercriminals impersonating executives or trusted business contacts to trick victims into making fraudulent financial transactions.
The attacker gains access to an employee’s email account (via phishing or stolen credentials).
They monitor emails and identify ongoing financial transactions.
They send a fraudulent email (posing as a CEO, vendor, or supplier).
The victim transfers money to the attacker's account.
Attack Type
Description
CEO Fraud
The attacker impersonates the CEO or CFO and requests an urgent wire transfer.
Vendor Invoice Scam
The attacker spoofs a vendor’s email and requests payment to a new bank account.
Payroll Diversion
The attacker hijacks an HR email and changes an employee’s direct deposit details.
The attacker spoofs the CEO’s email (e.g., John.Smith@company.com → John.Srnith@company.com).
The email is sent to the finance department:
"Urgent: Please wire $50,000 to this account for a confidential project."
The finance team, thinking it's from the CEO, sends the money.
The funds go to the attacker’s offshore account.
As email security solutions continue to evolve, attackers have also improved their techniques to bypass detection and successfully deliver phishing emails, malware, and social engineering attacks. Many organizations now deploy Secure Email Gateways (SEGs) and threat-hunting teams, yet attackers still find ways to evade detection.
One of the primary security mechanisms used by email gateways is domain reputation analysis. Email security solutions block emails from known malicious domains, which have been used in past phishing campaigns.
Attackers register brand-new domains that haven’t been blacklisted yet.
These domains are not present in threat intelligence feeds, allowing them to bypass security filters.
The attacker uses these domains to send phishing emails or host fake login pages.
📌 Example: An attacker registers the new domain microsoft-secure-login[.]com and sends phishing emails claiming:
"Your Microsoft 365 account has been compromised. Click here to verify."
The link redirects to a fake Microsoft login page.
The victim enters credentials, which the attacker steals in real-time.
✅ Implement domain age detection to block emails from newly registered domains. ✅ Use threat intelligence feeds that track domain registration trends. ✅ Apply sandbox analysis to scan links before allowing users to click.
Attackers avoid using blacklisted SMTP servers to send malicious emails. Many Secure Email Gateways (SEGs) rely on IP reputation to filter spam and phishing attempts.
Instead of using already-blacklisted mail servers, attackers:
Hijack legitimate SMTP servers from compromised businesses.
Rent clean SMTP servers from cloud hosting providers (AWS, Google Cloud).
Use personal email accounts (e.g., Gmail, Outlook, Yahoo) to send phishing emails.
📌 Example: An attacker compromises a small business email server and uses it to send thousands of phishing emails. Since the SMTP server has a good reputation, security solutions fail to detect the attack.
Many email security solutions now use sandboxing to analyze email attachments and detect malware before it reaches the recipient.
Attackers use several techniques to evade sandbox analysis, including:
Malware delays execution for several minutes after opening.
Since sandbox analysis runs for only 2-5 minutes, the malware remains undetected.
📌 Example: A weaponized Excel file contains a macro that pauses execution for 10 minutes before downloading malware. By the time the sandbox analysis finishes, the malware remains hidden.
Attackers send password-protected ZIP files that contain malware.
Since email security solutions cannot open encrypted files, they pass through undetected.
The email includes the password in the message body, allowing the victim to open it.
📌 Example: A phishing email claims: "Your invoice is attached (Password: 1234). Please review it ASAP."
The victim extracts the ZIP file using the password and unknowingly executes malware.
Malware checks if it is running in a sandbox before executing malicious behavior.
It detects VM-based sandboxes by:
Checking for low CPU/RAM usage.
Looking for virtual machine indicators (e.g., "VMware", "VirtualBox").
Searching for debugging tools (Wireshark, Process Explorer).
📌 Example: A malware sample checks system properties and stays dormant if it detects a virtualized environment. If running on a real victim machine, it executes the attack.
Instead of activating on any machine, sophisticated malware only executes when:
It detects the target organization’s IP address.
It receives commands from the attacker's C2 server.
This prevents sandboxing systems from triggering the malware.
📌 Example: An attacker hardcodes the victim’s IP range into the malware. If the malware runs in a sandbox, it does nothing. But if it runs inside the victim’s network, it deploys ransomware.
✅ Increase sandbox analysis time to detect delayed execution. ✅ Block password-protected email attachments unless verified. ✅ Use AI-based sandboxing to detect environment-aware malware.
To bypass domain reputation checks, attackers host phishing pages on trusted services like:
Google Firebase (appspot.com)
Microsoft Azure (web.app)
Dropbox, OneDrive, Google Drive
Legitimate but compromised websites
Since these domains are trusted, email security filters fail to block them.
📌 Example: An attacker hosts a fake Microsoft 365 login page on a Google Cloud subdomain:
hxxps://secure-login.appspot.com/microsoft365-authentication/
Since Google appspot.com is a trusted domain, email security solutions fail to detect it.
Victims enter their credentials, which get sent to the attacker.
✅ Block emails containing links to uncommon hosting providers. ✅ Use URL threat intelligence to detect phishing sites on trusted domains. ✅ Train employees to manually check the URL before entering credentials.
Attackers bypass technical defenses by manipulating human psychology—a method known as social engineering. Instead of hacking systems directly, they trick victims into interacting with malicious emails, leading to credential theft, malware infections, or financial fraud.
Attackers use email spoofing to make their emails appear to come from a trusted sender, such as:
Company executives (CEO, CFO, HR, IT Support)
Trusted vendors or business partners
Government agencies (IRS, FBI, Tax Authorities)
Popular services (Microsoft, PayPal, Amazon, DHL)
📌 How Email Spoofing Works:
Attackers modify the "From" field to impersonate a trusted sender.
Victims trust the email because the sender appears legitimate.
The email contains phishing links or malicious attachments.
The attacker spoofs the CEO’s email address (John.Smith@company.com → John.Srnith@company.com).
The email appears to come from the CEO and is sent to the finance team:
"Urgent: Please wire $50,000 to this new supplier account immediately."
The finance employee, believing it's legitimate, transfers the money to the attacker.
✅ Check the sender's email address carefully (e.g., "rnicrosoft.com" vs. "microsoft.com"). ✅ Analyze email headers for mismatched sender IPs. ✅ Implement DMARC, SPF, and DKIM to prevent spoofing.
Email thread hijacking occurs when an attacker compromises a real email account and continues existing email conversations—making phishing attempts seem authentic.
📌 How Email Thread Hijacking Works:
The attacker hacks a real employee's mailbox (via stolen credentials or malware).
They find ongoing conversations (e.g., a payment discussion).
They reply to the thread with a phishing link or modified banking details.
The attacker gains access to a vendor’s email account.
They find an ongoing invoice payment discussion.
They insert a new message:
"Please note our bank details have changed. Use the new account for this payment."
The finance team, seeing the message in a legitimate email thread, sends the payment to the attacker.
✅ Verify any changes in payment details with a phone call. ✅ Use Multi-Factor Authentication (MFA) to prevent email compromise. ✅ Flag emails with different "Reply-To" addresses as suspicious.
Attackers know that employees are trained to check for HTTPS and padlock icons in browsers before entering credentials. To exploit this trust, they host phishing pages on legitimate services, such as:
Google Firebase (appspot.com)
Microsoft Azure (web.app)
Dropbox, Google Drive, OneDrive
Compromised business websites
📌 How It Works:
The attacker hosts a phishing page on a trusted domain.
The phishing email contains a link to the fake login page.
Victims see a secure HTTPS connection and believe it's legitimate.
They enter credentials, which are sent directly to the attacker.
The attacker creates a fake Microsoft login page and hosts it on:
hxxps://secure-login.appspot.com/microsoft365-authentication/
The phishing email says:
"Your Microsoft account is locked. Click below to verify your credentials."
The victim enters their username and password, which the attacker captures.
✅ Manually check the full URL before entering credentials. ✅ Use AI-powered phishing detection in email security solutions. ✅ Train employees to recognize URL manipulation tricks.
Attackers pressure victims into taking immediate action by using fear, urgency, or authority.
Technique
Example
Urgency
"Your bank account will be locked in 24 hours!"
Fear
"We detected unauthorized access to your email—reset your password now!"
Authority
"This is an official notice from HR—submit your tax documents immediately."
Financial Lure
"Congratulations! You won a $500 gift card—claim it now!"
📌 Example: Urgent Payroll Scam
The attacker spoofs an email from HR:
"Due to a system update, please re-enter your banking details for direct deposit."
Employees panic and submit their credentials, allowing the attacker to redirect salaries.
✅ Train employees to recognize fake urgency. ✅ Verify urgent requests through a secondary communication channel. ✅ Use email filtering to detect keywords associated with phishing.
Attackers mimic legitimate email formatting by using:
Official company logos
Employee signatures copied from previous emails
Similar fonts and layouts as real emails
📌 How It Works:
Attackers collect real email signatures from past email leaks.
They craft fake emails that look exactly like real company messages.
Victims don’t notice any formatting differences and assume the email is legitimate.
The attacker spoofs the IT department and sends a fake password reset request.
The email contains the real company logo, official footer, and contact details.
Employees click the link and enter their credentials, giving attackers access.
✅ Enable external sender warnings in corporate email systems. ✅ Cross-check email addresses before responding. ✅ Use digital signatures (S/MIME, PGP) to verify sender authenticity.
Many users automatically trust emails from colleagues, making internal phishing highly effective.
📌 How It Works:
The attacker compromises an employee’s email account.
They send phishing emails to coworkers from the compromised account.
Since the email is from a real employee, colleagues assume it's safe and interact with it.
The attacker hacks Alice’s email and sends this message to Bob:
"Hey Bob, please review this document ASAP: [Dropbox link]."
Bob, trusting Alice, downloads the file, which contains malware.
✅ Monitor for unusual email activity within the organization. ✅ Require Multi-Factor Authentication (MFA) for all employees. ✅ Flag emails with suspicious attachments or links, even if internal.
Secure Email Gateways (SEGs) act as a defense layer between incoming emails and end users, filtering out spam, phishing, and malware before they reach recipients. These security solutions generate detailed logs that contain valuable information for SOC analysts and incident responders.
Understanding the structure and significance of SEG logs is essential for detecting phishing attacks, malware campaigns, and business email compromise (BEC) threats.
A Secure Email Gateway (SEG) is a security solution that inspects all inbound and outbound emails before they reach the recipient’s inbox.
✅ Email Filtering: Blocks spam, phishing, and malware emails. ✅ Threat Intelligence Integration: Checks email domains, IPs, and attachments against known threat databases. ✅ Advanced Malware Analysis: Uses sandboxing to detect hidden malware in attachments. ✅ DMARC, SPF, DKIM Enforcement: Prevents email spoofing and fraud. ✅ Content Inspection: Scans email body, subject, and headers for suspicious keywords and patterns.
📌 Example of SEG Solutions:
Proofpoint Email Security
Microsoft Defender for Office 365
Cisco Email Security Appliance (ESA)
Barracuda Email Security Gateway
Secure Email Gateways generate multiple logs based on different functions.
Log Type
Description
SMTP Logs
Track email transmission details, including sender IP, recipient, and delivery status.
Message Tracking Logs
Provide a detailed record of email flow, including timestamps and routing details.
Spam & Malware Logs
Contain information on emails flagged as spam, phishing, or containing malware.
Quarantine Logs
Track emails isolated for further review before delivery to recipients.
Content Filtering Logs
Show how email body and attachments were scanned against predefined security policies.
📌 Example Use Case:
A phishing email bypasses security and is delivered to employees.
SOC analysts check SEG logs to trace how the email entered the network.
They find the email was sent from a newly created domain, raising suspicion.
Analysts block similar domains in the future to prevent another attack.
To investigate suspicious emails, analysts must understand the meaning of each log field. Below is a breakdown of the most important log fields found in SEG logs :
Definition: The IP address of the server that sent the email.
Why it’s Important: Helps identify whether the email originated from a trusted or malicious source.
Investigation Tip: Check the SMTP server IP against threat intelligence feeds (e.g., MxToolbox, AbuseIPDB).
📌 Example:
Email sent from 185.123.45.67.
The IP is checked on MxToolbox and found on multiple spam blacklists.
This indicates a high chance of phishing.
Definition: The email address that appears in the "From" field.
Why it’s Important: Attackers often spoof legitimate addresses to trick victims.
Investigation Tip: Cross-check with DMARC, SPF, and DKIM records to detect spoofing.
📌 Example:
Email claims to be from billing@paypal.com.
SEG logs show the actual sending domain is "paypal-update-security[.]com" (a fake domain).
This is a clear case of email spoofing.
Definition: The intended recipient’s email address.
Why it’s Important: Helps identify who received the suspicious email.
Investigation Tip: If multiple employees receive the same phishing email, it may indicate a targeted attack.
📌 Example:
Attackers send malicious invoices to finance@company.com and payroll@company.com.
Indicates a targeted Business Email Compromise (BEC) attempt.
Definition: The subject line of the email.
Why it’s Important: Phishing emails often use common lures like:
"Urgent: Update Your Password"
"Invoice #4567 Attached"
"New Security Alert on Your Account"
Investigation Tip: Search SEG logs for common phishing subject lines to find other impacted users.
📌 Example:
Multiple users receive emails with subject: "Your Office 365 Password Expired".
Indicates a Microsoft 365 phishing campaign targeting the company.
Definition: Shows filenames of email attachments and their unique hash values.
Why it’s Important: Helps detect malicious attachments used in phishing attacks.
Investigation Tip: Compare file hashes against VirusTotal, ANY.RUN, or sandbox tools.
📌 Example:
Invoice_56789.pdf attached to an email.
Hash checked on VirusTotal → Detected as Redline Stealer malware.
Indicates a phishing email spreading malware.
Definition: List of URLs included in the email body.
Why it’s Important: Helps identify phishing links and malicious websites.
Investigation Tip: Use URLScan.io or VirusTotal to analyze the domain reputation.
📌 Example:
Email contains the link: hxxps://secure-login[.]microsoft365-support[.]com
Checked on URLScan.io → Found to be a phishing page stealing Office 365 credentials.
Definition: The action taken by the SEG (delivered, blocked, quarantined).
Why it’s Important: Helps analysts understand whether a threat reached end-users.
Investigation Tip: If a phishing email was delivered, analysts must manually investigate affected users.
📌 Example:
Email marked as “Delivered” → Employees may have interacted with the phishing content.
Email marked as “Quarantined” → No further action needed.
Extract log data related to a suspected phishing email.
Analyze sender IP to check if it’s blacklisted or suspicious.
Verify email sender address for spoofing or mismatched domains.
Check file attachments against VirusTotal or sandbox environments.
Inspect URLs using URLScan.io or domain reputation tools.
Determine email action (delivered, blocked, or quarantined).
Identify affected users and notify them not to interact with the email.
When a suspicious email reaches a recipient, SOC analysts must determine whether it is malicious or benign. Investigating email content involves analyzing headers, sender details, attachments, embedded links, and body text to uncover signs of phishing, malware, or business email compromise (BEC) attacks.
SOC analysts follow a structured process to investigate potential email threats:
1️⃣ Analyze the sender’s domain & SMTP server reputation 2️⃣ Check for email spoofing (forged sender addresses) 3️⃣ Inspect the email body for suspicious text patterns 4️⃣ Investigate embedded URLs (phishing links or malware downloads) 5️⃣ Analyze email attachments for malware 6️⃣ Correlate findings using threat intelligence tools
📌 Example Use Case:
An employee reports an email titled "Urgent: Your PayPal Account Has Been Suspended."
The email contains a link to verify account details.
Analysts investigate email headers, URLs, and attachments to determine if it is a phishing attempt.
Attackers often spoof email addresses to trick victims into believing emails come from a legitimate source.
Check the sender’s email domain for typos or lookalike domains.
Perform a WHOIS lookup on the sender’s domain.
Use MxToolbox to check if the SMTP server IP is blacklisted.
📌 Example: Identifying a Fake Domain
Email Claiming to Be From
Actual Sender Domain
support@paypal.com
support@paypa1.com (fake ‘1’ instead of ‘l’)
admin@rnicrosoft.com (‘rn’ instead of ‘m’)
Email spoofing tricks recipients into thinking the email comes from a trusted sender, but actually originates from an attacker-controlled server.
✅ Check email headers for mismatched sender domains. ✅ Verify SPF, DKIM, and DMARC authentication records. ✅ Use MxToolbox or emailheader.org to analyze headers.
📌 Example: Spoofed Email from FedEx
The email appears to be from shipping@fedex.com.
SMTP logs show it was sent from an unknown IP (185.198.56.12).
The real FedEx mail servers do not use this IP → Email is spoofed.
Phishing emails often contain psychological triggers to trick users into clicking malicious links or downloading malware.
Phishing Tactic
Example Text in Email
Urgency & Threats
"Your account will be suspended in 24 hours unless you verify your details now."
Fake Financial Requests
"Please confirm this invoice payment by clicking below."
Government Impersonation
"This is the IRS. Immediate tax payment required to avoid legal action."
Password Reset Scams
"Your password has expired. Click here to reset."
📌 Example: An email claiming to be from Microsoft says: "Your account has been compromised. Click here to reset your password immediately."
The tone is urgent, and grammar mistakes suggest phishing.
The reset link does not go to Microsoft → Suspicious email confirmed.
Phishing emails embed links that redirect victims to credential-stealing sites or malware download pages.
✅ Hover over the link to see the actual URL. ✅ Use URLScan.io to analyze the URL before clicking. ✅ Check the domain reputation on VirusTotal or IBM X-Force Exchange.
📌 Example: Fake Microsoft Login Page
Email claims: "Security alert: Unusual login detected on your Microsoft account."
The button link redirects to:
✅ Real: https://login.microsoft.com/security-update
❌ Fake: hxxps://microsoft365-auth[.]web.app
Attackers embed malware in email attachments, using common file types to bypass detection.
File Type
Threat
.docm / .xlsm (Macro-enabled Office Files)
Runs VBA macros to download malware.
Contains JavaScript exploits or links to phishing pages.
.zip / .rar
Contains executables disguised as documents.
.iso
Bypasses traditional file scanning protections.
📌 Example: Analyzing a Suspicious Attachment
Extract file hash using PowerShell or an online tool.
Check the hash against VirusTotal for malware detection.
If unknown, submit to ANY.RUN or Hybrid Analysis for sandbox execution.
SOC analysts correlate findings with external threat intelligence sources to confirm whether an email is part of a larger attack campaign.
Tool
Purpose
VirusTotal
Checks file hashes, URLs, and domains for malware.
URLScan.io
Analyzes URLs for phishing behavior.
AbuseIPDB
Identifies malicious sender IPs.
IBM X-Force Exchange
Provides domain and IP reputation insights.
📌 Example: An email from support@paypal.com contains a link to hxxps://paypal-security-update[.]com.
Checked on URLScan.io → Detected as a known phishing site.
The sender IP is listed on AbuseIPDB for sending fraudulent emails.
Conclusion: Confirmed phishing attempt.
📌 Scenario: An employee receives an email titled "Invoice Payment Confirmation – Action Required" with an attached "Invoice_3421.xlsm" file.
🔍 Investigation Steps & Findings: 1️⃣ Check sender domain: billing@xyzcorp.com (✅ legitimate supplier).
2️⃣ Verify SMTP IP: Found on spam blacklists (❌ suspicious).
3️⃣ Analyze attachment: Macro-enabled Excel file (❌ high risk).
4️⃣ Extract file hash: Detected as TrickBot malware on VirusTotal (❌ confirmed threat).
5️⃣ Search past logs: Similar emails targeted multiple employees (⚠️ active attack).
📌 Final Action: ✅ Blocked the sender domain & SMTP IP. ✅ Removed emails from all user inboxes. ✅ Alerted employees to avoid similar scams.
Phishing remains the top email-based attack vector (41% of initial access attempts).
Attackers use advanced evasion techniques (e.g., newly created domains, sandbox evasion).
Social engineering tactics (spoofing, thread hijacking) increase the success of phishing attacks.
Investigating emails involves checking sender reputation, analyzing headers, and examining email content.
📌 In the next chapter, we will dive into email flow and header analysis to further enhance email threat investigation techniques.
✅ Use DMARC, SPF, and DKIM records to verify legitimate email senders "Will Discuss Later". ✅ Block new or unusual SMTP servers from sending inbound emails. ✅ Use MxToolbox to check SMTP server reputation ().
And Don't Forget To
