Manual Phishing Email Analysis

admin

Email Headers to Analyze

Essential Header Fields

  • From – Display name vs actual email address
  • Reply-To – Where replies actually go (often different from From)
  • Return-Path – Bounce address (should match sender domain)
  • Received – Trace email path, check originating IP
  • Message-ID – Format and domain consistency
  • DKIM-Signature – Domain and signature validation
  • SPF – Authentication results
  • DMARC – Policy and alignment

Red Flag Patterns

Sender Anomalies

  • Display name mismatch (e.g., “PayPal” but email is @gmail.com)
  • Domain typosquatting (paypa1.com, pay-pal.com)
  • Recently registered domains (< 30 days)
  • Multiple domains in header chain

URL Patterns

  • URL shorteners (bit.ly, tinyurl.com, rb.gy)
  • IP addresses instead of domains
  • Suspicious TLDs (.tk, .ml, .ga, .cf, .xyz)
  • Excessive subdomains (secure.paypal.com.verify.login.com)
  • Brand names in subdomains (paypal.security-verify.com)
  • URL encoding/obfuscation

Content Patterns

  • Urgency language (urgent, immediate, suspended)
  • Generic greetings (Dear Customer, Dear User)
  • Spelling/grammar errors
  • Threat of account closure
  • Requests for credentials/payment info
  • Unsolicited attachments

Free Analysis Tools

Header Analysis

  • Google Admin Toolbox – Messageheader analyzer
  • MxToolbox – Email header analysis
  • Hardenize – Email security checks

URL/Domain Reputation

  • VirusTotal – Multi-engine URL scanner
  • URLScan.io – Live URL screenshot and analysis
  • AbuseIPDB – IP reputation checking
  • AlienVault OTX – Threat intelligence pulses
  • Cisco Talos – Reputation center
  • IP-API.com – Geolocation and proxy detection

Authentication Checks

  • DKIMvalidator.com – DKIM signature verification
  • SPF Record Checker – MxToolbox
  • DMARC Analyzer – DMARC policy validation

IOC Extraction

  • CyberChef – Extract IPs, domains, hashes
  • IOC Extractor – Regular expression based extraction
  • Yeti – Open source threat intelligence platform

Sandbox Analysis

  • Any.Run – Interactive malware analysis
  • Hybrid Analysis – File and URL sandbox
  • Browserling – Live website testing

WHOIS & Domain Info

  • Whois.domaintools.com – Domain registration details
  • ViewDNS.info – Multiple domain tools
  • SecurityTrails – DNS history

Analysis Workflow

Step 1: Header Inspection

Check:
- From domain vs Reply-To domain
- Return-Path alignment
- Received IP reputation
- Authentication results (SPF/DKIM/DMARC)

Step 2: URL Extraction

Extract all URLs and check:
- Destination domain
- URL shorteners
- Suspicious TLDs
- Typosquatting attempts

Step 3: Content Analysis

Look for:
- Urgency/social engineering
- Sensitive data requests
- Attachment types
- Language patterns

Step 4: Threat Intelligence

Cross-reference:
- IP blacklists
- Domain reputation
- URL scan results
- Hash lookups (attachments)

Step 5: IOC Documentation

Record:
- IP addresses
- Domains
- URLs
- Email addresses
- File hashes

Report Template Elements

Basic Information

  • Date/time of analysis
  • Analyst name/reference
  • Case/incident ID

Email Metadata

  • Subject line
  • Sender address (display and actual)
  • Recipient address
  • Timestamp

Technical Findings

  • Header anomalies identified
  • Suspicious URLs detected
  • Authentication results
  • Attachments (if any)

Threat Indicators

  • IOCs extracted
  • Reputation scores
  • Related campaigns
  • Risk level (Low/Medium/High/Critical)

Recommendations

  • Block indicators
  • User awareness
  • Additional investigation needed
  • Remediation steps

Quick Risk Indicators

Critical Risk (70%+)

  • Known malicious IP/domain
  • Credential harvesting page
  • Executable attachment
  • Multiple brand impersonations

High Risk (50-69%)

  • From/Reply-To mismatch
  • Suspicious TLD
  • URL shortener to unknown domain
  • Urgency language + external link

Medium Risk (30-49%)

  • New domain (<30 days)
  • Generic greeting
  • Minor typosquatting
  • Request for information

Low Risk (0-29%)

  • Authentication passes
  • Clean URLs
  • Consistent headers
  • Expected content

Useful Resources

Threat Intelligence Feeds

  • AlienVault OTX: otx.alienvault.com
  • IBM X-Force Exchange: exchange.xforce.ibmcloud.com
  • MISP Project: misp-project.org
  • PhishTank: phishtank.com

Security Communities

  • Reddit r/phishing
  • Twitter #phishing #infosec
  • Discord security servers
  • ISAC communities

Training Materials

  • SANS SEC504
  • Phishing analysis courses
  • CTF challenges
  • Capture the flag events

Remember: Manual analysis combined with automated tools provides the most comprehensive protection. Always verify findings with multiple sources before taking action.

Related Posts

Phishing Email Analyzer

A free, open-source SOC tool for comprehensive email threat analysis Project Description The Ultimate Phishing Email Analyzer is a professional-grade…

Leave a Reply

Your email address will not be published. Required fields are marked *