Methods for IT Security Staff to Investigative Malicious Emails


Seeking private investigator services? Get a free consultation today.

Introduction

As the vast majority of compromises originate from phishing emails, it is important that IT staff and security analysts understand how to investigate suspicious and malicious emails. For those less technically included, don’t tune out just yet. There are some things that may help you protect your inbox, network, and organization as a whole.

  • Introduction
  • Link and URL inspection
  • Reviewing grammar and spelling
  • Message ID / origin inspection
  • Investigating attachments

Introduction

For those who do not know, the reason it is a bad idea to click links and download images in email is due to the ability for an attacker to inject or execute code on your PC/Mac/Mobile device. This is why there are security control implemented to block images and as well as a constant effort by management and security professions to warn about clicking links. Once that link is clicked, there are dozens of methods by which an attacker can track and infiltrate activity and data on any given device. Malicious emails are of increasing interest to attackers as there are many attack vectors that rely on it. If interested in the increase of cyber attacks on emails, click here (yes, yes, it is safe) https://www.bleepingcomputer.com/news/security/business-email-compromise-attacks-see-almost-500-percent-increase/

Opening emails

Back in the day, emails were allowed to contain HTML code which also allowed them to execute JavaScript. JavaScript is a high level programming language that is very useful in a legitimate setting, but also easily exploitable. If any attacker, then, were to implement malicious JavaScript into the email, the email could essentially run malicious code just by opening it. These days, however, are gone (mostly). Any system running up-to-date with a modern email backbone like Gmail or Outlook will prevent this. These days, opening an email to investigate the source is completely fine. Besides, you will need to do so in order to really investigate the source of the email.

Link and URL inspection

Low level threats will always result to basic phishing attacks orienting from malicious emails. These are normally fake websites disguised to look like legitimate ones. Below is an example of a phishing website that is well done.

The first thing you should notice is the URL. Rather than saying eBay.com, it gives another strange URL which certainly does not belong to eBay. This should be considered malicious without even looking any anything further. That said, you do NOT want to visit links like these. Fake domains can be home to other attacks such as drive-by-downloads, redirection attacks, code execution, and more. Rather, when you go to inspect the link, do so without clicking it. Links have anchor text and target URLs. You want to inspect the actual target of where the URL is pointing to. Once you determine it is not legitimate, discard it immediately.

Reviewing grammar and spelling

Many phishing attacks originate from overseas. As such, many phishing emails are written in broken English. If you conduct a preliminary review of whether or not the English appears well written, this could help you conclude it is malicious much quicker. That said, just because something is well written, does not mean it is legitimate or trusted. Proper grammar should aid you in removing trust of a source, it should never be used to add trust.

Email header / origin inspection

Message headers contain information about the contents of the email and where the email originated. When attackers spoof emails, they can spoof their sender address but not the return address. Therefore when you receive an email, it will tell you it came from John Doe in HR but the return path will be addressed to Joe Dirt in another land. When you analyze the email header and search for the return path, you can verify where your response is actually going. There are legitimate reasons for spoofing the sender, such as sending out subscriptions, automatic emails, etc, so you need to be aware of what the content of the email is. Different vendors have different methods of accessing the email header. You should research your email provider’s method to access the message ID and headers.

Note: The reason you cannot spoof the return path is that the email would not have any way to get back to the attacker, or sender if it legitimate.

Investigating attachments

Warning! Any time you deal with attachments, there is significant risk of accidentally executing/opening them. Be sure you know what you are doing and you are cautious not to open them on a production network.

For non-experienced users, the best thing you can do to attachments of possible malicious emails is to upload the file to Hybrid Analysis, VirtusTotal, and Advanced File Analysis System (Valkyrie) by Comodo. These services will run the potentially malicious applications in a secure sandbox to analyze it’s behavior and compare it with its’ database to see if it’s been uploaded before. This can provide valuable insight to other individuals who’ve received the same file and alert you if it’s concluded to be malicious.

For more experienced IT and cyber security professionals, you may choose to conduct your own analysis. For this, we won’t provide a detailed how-to but will provide a general overview. The best practice is to set up a separate malware analysis workstation, if the budget permits. To keep a logical separation of your network, the workstation should be placed in a DMZ. You should then boot into a type ii virtualized machine running on the host malware analysis workstation and utilize snapshots to make your life a bit easier. Second, you’ll want to run Cuckoo and read the report. If you are still concerned but the report doesn’t hit on anything suspicious, run in a new VM without Cuckoo and run Wireshark on the network traffic to see if there is any suspicious traffic. Some malware will detect sandboxes, VMs, and malware analysis tools and deactivate themselves. The only other method for this type of malware is to really use Ghidra to reverse engineer. See here for the NSA’s Ghidra: https://www.nsa.gov/resources/everyone/ghidra/

About us

Spectre Intelligence is a private investigation and intelligence firm located in sunny Round Rock, TX (Austin area). If you need investigation or cyber security services, visit us at www.spectreintel.com and www.spectretechnology.com