How to Do Phishing Email Header Analysis?

Knowing all about email headers is important to getting good at analyzing phishing emails!

Here's how you can become a pro:

• First, you've got to dive deep into what email headers are all about. Understanding them is key!
• Next, I'll show you how to check out these headers so you can see clearly what's what.
• Make sure you have some tools for analyzing email headers. They make finding the fakes a lot easier and faster.
• And don't forget, practice makes perfect! I'll share some examples of email headers for you to study. This way, you can get better and faster at spotting those tricky phishing emails.

Let's get started on becoming experts at catching those tricky phishing emails!

What is an Email Header?

An email header is like a detailed map showing an email's journey from the sender to the recipient. Think of it as a digital trail, charting the email path across various servers and networks.

Understanding the header is essential for email analysis, especially when identifying and protecting against phishing attacks.

Key Components of an Email Header

When dealing with phishing emails, understanding the components of an email header is essential. It helps in conducting email header analysis effectively.

• Received: This section lists a series of entries, each representing a server or node the email passed through. It includes the date and time for every hop, which is vital in tracing the email's route.
• From: Indicates the sender's address. Verifying this address against known legitimate sources is crucial in phishing email header analysis.
• To: The recipient's email address. It's helpful to see the intended target of the email.
• Subject: This is the subject line of the email, which can often give clues about the email’s nature and intent.
• Message-ID: Serves as a unique identifier for the email. It's useful for tracking and referencing specific emails.
• Reply-To: This indicates which email address should receive replies. In phishing emails, it might be different from the 'From' address.
• DKIM-Signature: Part of the DomainKeys Identified Mail protocol, which authenticates emails. A valid DKIM signature is a positive sign in email header analysis.
• Content-Type: Describes the type of data in the email, such as text or HTML. Discrepancies here can be a red flag in phishing detection.
• MIME-Version: This specifies the version of Multipurpose Internet Mail Extensions used, a standard in email formatting.

Can you detect phishing emails based on headers?

Based on the headers, yes, you can detect phishing emails.

Email header analysis can uncover clues about an email's origin and path. This process, known as email header analysis for phishing, is vital for identifying deceptive emails.

Phishing email header analysis typically involves a series of steps. These email header analysis steps guide us in examining the sender's information and tracking the email's route. Learning from email header analysis examples is also key, as it helps distinguish phishing emails from legitimate ones.

How do you analyze a phishing email header?

Analyzing the header of a phishing email is a critical step in identifying potential threats and safeguarding your information. Before getting into technical analysis, knowing how to get the email header from your files is important. This applies to files in formats like .eml or .msg.

Accessing Email Headers from Different File Formats

From EML Files:

• Open an EML file with a text editor, like Notepad, to view the email header. Alternatively, you can use any email client that supports the EML format.
• You can usually find the header information at the beginning of the file, before the email body.

From MSG Files:

• To access the header from an MSG file, open the file in Outlook.
• Once opened, locate the ‘File’ tab and select ‘Properties.’ Here, you will find the header information in a dialogue box.

Steps to Retrieve Email Headers

• Open the Email File: Open your email file, whether it's an .eml or .msg, using the appropriate program or a text editor that works with these files.
• Locate the Header: In most cases, the header is at the top of the email content. It contains lines like 'Received,' 'From,' 'To,' and so on, as mentioned in this blog's “What is an Email Header” section.
• Copy the Header Information: Once located, copy the entire header text. You can use this for detailed analysis later on.

Phishing Header Analysis Example

This section will look at an example of a phishing header analysis. The email header tells us where the email came from and how it got to you. Understanding this lets you learn to identify suspicious emails and protect yourself from phishing attacks.

—-- Received Tags Start —-

Received: from DB8PR08MB5370.eurprd08.prod.outlook.com (2603:10a6:10:112::16) by AM8PR08MB5698.eurprd08.prod.outlook.com with HTTPS; Fri, 8 Dec 2023 11:07:24 +0000

Received: from MW4PR04CA0275.namprd04.prod.outlook.com (2603:10b6:303:89::10) by DB8PR08MB5370.eurprd08.prod.outlook.com (2603:10a6:10:112::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7068.28; Fri, 8 Dec 2023 11:07:23 +0000

Received: from MW2NAM12FT084.eop-nam12.prod.protection.outlook.com (2603:10b6:303:89:cafe::bf) by MW4PR04CA0275.outlook.office365.com (2603:10b6:303:89::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7068.28 via Frontend Transport; Fri, 8 Dec 2023 11:07:22 +0000

Received: from i-ee.email.cloudflare.net (104.30.8.44) by MW2NAM12FT084.mail.protection.outlook.com (10.13.181.248) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.7091.17 via Frontend Transport; Fri, 8 Dec 2023 11:07:21 +0000

Received: from app.webberit.us (app.webberit.us [89.47.165.109]) by MW2NAM12FT084.mail.protection.outlook.com (10.13.181.248) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) for <onurkolay@outlook.com>; Thu, 21 Dec 2023 10:29:13 +0300

—-- Received Tags End —-

DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=mail; d=webberit.us; h=From:To:Subject:Date:Message-ID:MIME-Version:Content-Type: Content-Transfer-Encoding; i=luichang@webberit.us; bh=H9Wh6Ufw6AmMMbZX6Ra9aCOiJUM=; b=FKKE0GWcdyIC84rYGvJdg3h1LLdNuU8iFMcHWFxmTK8RxSjjwN5SmjYN4unP/HmcHI5jmmSgWPRW oaiXGaUbXbsjEVlInym78Xl0QteTT9FoVwrY5YyHFvIk1Tzj5c3v/kKBTg58h6LWY4lSQM527EZ0 4ZC2dTNjGdnzKicAeTk=

Message-ID: <20231220232925.CFEABC53A362FBBB@webberit.us>

X-FEAS-SPF: spf-result=pass, ip=89.47.165.109, helo=app.webberit.us, mailFrom=luichang@webberit.us

X-FEAS-Client-IP: 89.47.165.109

X-FE-Last-Public-Client-IP: 89.47.165.109

X-FE-Envelope-From: luichang@webberit.us

Return-Path: luichang@webberit.us

X-MS-Exchange-Organization-Network-Message-Id: bb370b41-6684-4c3d-fd4c-08dc01f69230

X-ESET-AS: R=OK;S=0;OP=CALC;TIME=1703143770;VERSION=7966;MC=3910601708;ID=65085;TRN=0;CRV=-3;IPC=89.47.165.109;SP=0;SIPS=3;PI=3;F=0

X-ESET-Antispam: OK

X-EsetResult: clean, is OK

X-EsetId: 37303A29BDA9A15B6C7464

X-EXCLAIMER-MD-CONFIG: fe9fac2e-69f0-4d7c-aa0b-c063ce408dbe

X-MS-Exchange-Organization-AuthAs: Anonymous

X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.5738958

X-MS-Exchange-Processed-By-BccFoldering: 15.02.1258.025

X-Received: by 2002:a05:6871:2b0a:b0:1fa:f5b2:afab with SMTP id dr10-20020a0568712b0a00b001faf5b2afabmr3879596oac.36.1702033638256; Fri, 08 Dec 2023 03:07:18 -0800 (PST)

MIME-Version: 1.0

MIME-Version: 1.0

From: "Outlook" <luichang@webberit.us>

To: <jack.jackson@outlook.com>

Subject: Overdue Invoices to be settled before the end of the year

Date: Thu, 21 Dec 2023 07:29:25 +0000

Content-Type: multipart/alternative; boundary="de7b547a-4b44-4e7d-99d3-ca0f3c2513b1

Please refer to the following explanation to understand the information provided above:

• Received Lines: The email has passed through multiple servers, which is typical for emails routed over the internet. However, the chain of 'Received' lines should be scrutinized to check for unusual patterns or suspicious server addresses.
• Sender's Email and Domain: The phishing email is purportedly from "Outlook" but uses the email address luichang@webberit.us. This mismatch is a major red flag. Phishing email samples often use a trusted name like "Outlook" but come from a different domain.
• Subject Line: “Overdue Invoices to be settled before the end of the year.” - This subject line creates a sense of urgency, a common tactic in phishing emails to prompt quick action without scrutiny.
• DKIM Signature: The presence of a DKIM (DomainKeys Identified Mail) signature (d=webberit.us) suggests an attempt to authenticate the email, but it does not align with the purported sender (Outlook). This discrepancy is suspicious.
• SPF Pass (X-FEAS-SPF): The SPF result is a pass, which means the sending server is authorized to send emails on behalf of the sender's domain. However, this doesn’t rule out phishing, as the domain itself (webberit.us) is not a known entity like Outlook.
• X-MS-Exchange-Organization-AuthAs: Marked as 'Anonymous,' which is common in external emails, but in the context of other red flags, it warrants caution.
• Mismatch in Dates: There is a discrepancy in the dates. The 'Received' lines mention December 8, 2023, but the 'Date' in the email header is December 21, 2023. This inconsistency is suspicious.
• Multiple MIME-Version Headers: Two MIME-Version headers are unusual and can indicate an attempt to confuse email processing systems.
• Return Path and From Address Mismatch: The 'Return-Path' and 'From' addresses should usually match. Any discrepancy can indicate a spoofed email.
• X-Received Line: The format of this line looks typical of a Google-managed email (noted by the 2002:a05: prefix), but it doesn’t align with the rest of the email's journey.
• Content-Type: "multipart/alternative" is standard for emails containing HTML and plain text versions. However, in the context of phishing, HTML content can be used to hide phishing links.

What should I look for in an email header?

Analyzing a phishing email header is like being a detective, piecing together clues to uncover a hidden truth.

Let's dive into this intriguing world:

1. Sender's IP Address: Imagine the IP address as a digital fingerprint. When you receive a suspicious email, this fingerprint can reveal a lot. Catching a thief red-handed is similar to finding this IP on known blacklists!
2. Domain Address: Now, focus on the domain address. If it's on a blacklist, it's akin to finding the thief's hideout. This is a solid indication that you're dealing with a phishing email.
3. Matching IP Addresses: If the IP and domain appear legitimate, it's time for a more thorough investigation. Compare the IP address from the email's header with the official email server's IP. It's like verifying if the letter you received came from the official post office or a fake one.
4. SPF, DMARC, DKIM Records - The Hidden Codes: These records are like secret codes that should match the official ones. If they're fake or mismatched, it's as if the thief has tried to forge a secret passcode but got it wrong.
5. Altered Reply-To Addresses - The Trap: Sometimes, the phishing email wants you to respond. The attacker might have tampered with the 'reply-to' address, revealing a clear trap in the email header.
6. Anomalous Additions - The Deceptive Mask: Attackers often know about vulnerabilities in anti-spam tools. They might add things like “X-Virus-Scan: Clean” to the header. It's a disguise, an attempt to make the email appear safe, like a wolf in sheep's clothing.

Keepnet’s Phishing Analysis Solution

Keepnet's phishing analysis solution helps you spot and stop phishing emails. It analyses suspicious emails closely and keeps you safe from phishing attacks. With Keepnet, you can quickly find out if an email is malicious and learn how to protect your emails better.

Want to see phishing analyzing tactics uncovered? Watch the Keepnet YouTube video below and learn how to analyze an XBOX phishing email.