Phishing Email — Ultimate Resources

Phishing email analysis involves examining emails to detect any sings of phishing. Phishing email analysis involves carefully examining emails using special tools and methods, not quickly looking at your box.

When encountering a suspicious email in your inbox, it’s crucial to take appropriate steps to mitigate any potential risks. Here’s a systematic approach to follow:

• Do Not Click Links or Download Attachments: Avoid clicking on any links or downloading attachments in the suspicious email. These could contain malware, phishing links, or other malicious content.
• Verify the Sender: Check the sender’s email address to see if it matches the expected sender. Be cautious of email addresses that are misspelled or seem suspicious.
• Check for Poor Grammar or Spelling: Many phishing emails contain grammatical errors, spelling mistakes, or awkward language. If the email seems poorly written or unprofessional, it could be a red flag.
• Hover Over Links: If you’re unsure about a link in the email, hover your mouse cursor over it (without clicking). This will reveal the actual URL the link leads to. Be wary of URLs that don’t match the expected destination or seem suspicious.
• Examine Requests for Personal Information: Be cautious of any emails requesting sensitive personal information, such as passwords, account numbers, or Social Security numbers. Legitimate organizations typically do not request this information via email.
• Look for Urgent or Threatening Language: Phishing emails often use urgent or threatening language to pressure recipients into taking immediate action. Be skeptical of emails that claim your account will be closed, or you’ll face consequences if you don’t act quickly.
• Report the Suspicious Email: If your organization has a dedicated IT or security team, report the suspicious email to them. They can investigate further and take appropriate action.
• Delete the Email: If you determine that the email is indeed suspicious, delete it from your inbox. This helps prevent accidental clicks or further interaction with the malicious content.
• Educate Yourself and Others: Stay informed about common phishing tactics and educate yourself and your colleagues about how to recognize and respond to suspicious emails. Regular training and awareness programs can help mitigate the risk of falling victim to phishing attacks.
• Monitor Your Accounts: Keep an eye on your accounts for any unauthorized activity or unusual behavior. If you suspect that your account has been compromised, take immediate steps to secure it, such as changing passwords and enabling multi-factor authentication (MFA).

By following these steps, you can help protect yourself and your organization from the potential threats posed by suspicious emails. Always err on the side of caution and remain vigilant when it comes to email security.

Below is a compilation of tools designed for analyzing phishing emails, each accompanied by a description of its functions and intended purposes:

1. Email Header Analysis:

• MXToolbox: Detects phishing attempts, spam, malware, and impersonation scams.
• Google MessageHeader: Provides insights into email headers, identify who may be responsible.
• MailHeader: Analyzes email headers for security threats.
• Azure Header Analyzer: Uses REST and EWS to retrieve the transport message headers of an e-mail message and display them to the user in an easy to read format..
• Gaijin: Checks and analyzes the headers of an e-mail. The Received lines are broken down separately and the data is displayed clearly.
• Trace Email (Header Analyzer): Analyze the email headers and trace the email sender IP location and IP Whois easily.

2. URL / IP Reputation Check:

• Virustotal: Analyse suspicious files, domains, IPs and URLs to detect malware and other breaches, automatically share them with the security community.
• Talosintelligence: Identifies malicious domains and IPs.
• AbuseIPdb: Checks IP reputation.
• CriminalIP: Real-time URL Scanner and Phishing Link Checker.
• MxToolBox (BlackList): Checks a mail server IP address against over 100 DNS based email blacklists.
• IP Blacklist Checker: Determines if a domain, IP address, or email address is enlisted in the DNSBL and other blacklist databases for suspicious activity.
• URLVOID: Checks the reputation of URLs and domains to identify potential phishing sites and malicious content.
• CyberGordon: Offers IP and domain information.
• Bright Cloud: Assesses URL reputation.
• IPinfo: Provides information about IP address, prevent fraud, ensure compliance.
• WebCheck: Verifies website safety.
• Immuni Web: Tests websites for security issues (AI for Application Security).
• Typosquatting-finder: a free and public service to find typosquatted domains in order to quickly assess if there are any existing fake domains used by an adversary.
• Netcraft: Find out the infrastructure and technologies used by any site using results from Netcraft internet data mining.
• Pulsedive: Search any domain, IP, or URL and enrich on-demand with passive and active scans to inform your investigation.
• Phishcheck.me : Custom phishing detection engine.

3. Visualization Tools: (Visualize a malicious URL without visiting the site)

• URLScan: Visualizes malicious URLs Without visiting them.
• URL2PNG: Generates screenshots of URLs.
• CheckPhish: Detects and Monitors Phishing and Scam Sites (URL).
• Google Safe Browsing rating: Quick view of if the website is safe or potentially nefarious.

4. File / Attachment / Malware Analysis:

• VirusTotal: Analyzes files and URLs for malware.
• Anyrun (Sandbox): Remotely download and interactively sandbox analyze arbitrary file downloads.
• Hybrid-Analysis (Sandbox): Provides free malware analysis services for URL/files and File collection.
• Joesandbox: Analyzes suspicious URL/files.
• Cuckoo Sandbox: Automated malware analysis.
• VMRay: Analyze advanced malware, threats, and phishing attacks.
• Triage: Investigates suspicious files.

5. Whois Domain Record:

• Whois: Provides domain registration details.
• Centralops: Retrieves domain information.
• DomainTools: Performs reverse IP lookup.
• Gaijin whois: Collects information about the owner of a domain or an IP address.

6. Phishing Analysis Tools: Automatically Collecting Artifacts

• Phish Tool: Collects artifacts from phishing emails.
• EML analyzer: Analyzes email files.
• CyberChef: Tool for data manipulation and analysis.
• MailPro+: Can preview, search, and export eamils form different email clients. The tool allows you to view email messages, email attachements, 7+ preview modes, and many more.

7. Miscellaneous:

• Browserling (Sandbox): Safely test URLs in a sandboxed browser.
• Thunderbird (EML Opener): Opens EML files.
• eM Client (EML Opener): Another EML file viewer.
• Phishtank: Checks Phishing URL against a collaborative phishing database.
• OpenPhish: Repository of known phishing URLs.
• Phishunt: looks for suspicious websites and expose them in order they can be taken down.
• Haveibeenpwned: Allows you to search across multiple data breaches to see if your email address or phone number has been compromised.
• QuickSand: is a Python-based analysis framework to analyze suspected malware documents (documents, PDFs, Mime/Email, Postscript) to identify exploits in streams of different encodings or compressions.

Conclusion:

As you can see, analyzing a phishing email requires multiple tools, including a sandbox, URL detection, file analysis, anomaly detection, and AI-powered threat analysis engines.

Thank you for joining this journey through Phishing Email Resources. Remember, vigilance is your best defense against phishing attacks! Stay safe out there.