SOC Analyst: Phishing Email Analysis


Everyone is looking to level up in their career, and getting a job interview or offer email can be exciting. But sometimes, those emails aren’t what they seem, they’re fake recruitment scams trying to trick you. I came across a perfect example and want to show what I did to confirm my suspicions and what steps I took to report the email, and its domain. 

 



 

Steps we will take to confirm, and take action:
1) General Social Engineering Red Flags
2) Context and Content Integrity Check
3) Domain Investigation
4) Certificate Investigation
5) Email Header Analysis
6) Reporting the Email

Tools we use and/or discuss

- VirusTotal
- WHOIS.com
- MXToolbox
- Joe's Sandbox
- PhishTank
- OpenPhish

General Social Engineering Red Flags

The email contains no links to their organization's homepage, easy online contact information, nor LinkedIn page. Furthermore, by searching for the official website of Evernow and confirming their logo is the same, they are using a different domain for their website and this email I received. This could mean that the company is using a different email domain, but it is unlikely.

Context and Content Integrity Check

Let's verify the contents of the email, let's analyze the information the sender is informing us of. They look like they want us to respond to the email to likely confirm someone is using the email address and receiving their emails. There are no LinkedIn results for a Lauren Roberts that works for Evernow. I would believe Evernow's "Senior Director, Recruiting & Talent Operations" would have an online presence to assist them hunt for talent. Looking at their career site and LinkedIn posted jobs, there is no listing for a "Junior Network Engineer". This is our first red flags that this is fake.

Domain Reports

Online tools make domain information easy to search and compare. First, let's check VirusTotal for any possible reports made by the security community about this domain.



Although it has a good score, that does not automatically clear this domain. Recently registered domains are a huge red flag. Taking a look at the "Details" tab, under Registration Data in VirusTotal informs us that the domain was recently registered, not even a week ago, our 2nd red flag. 

Next, we’ll compare the suspicious domain to the official Evernow domain using WHOIS.com. The legitimate domain was registered back in 2002, over 20 years ago. In contrast, the fake domain’s registrar and contact details are completely different. It uses privacy masking via privacyguardian[.]org, a service often abused to hide ownership in malicious campaigns. While companies sometimes register multiple domains, this one stands out. The registrar is different, the contact info is hidden, and the registration date lines up suspiciously with the day the email was sent. Combined with the other indicators we’ve seen, this heavily supports the conclusion that the email is malicious.

 

 

 

Certificate Investigation  

Checking the certificate can also help us identify if the two domains are under the same root certificate, or at least the issuers are the same. We can see that the domain had its HTTPS Certificate recently renewed. Typically a website will renew their certificate on an annual basis, but having an unknown domain have a new certificate in less than 30 days should be scrutinized by security analysts. It seems that the Certificates are completely different and from different issuers. Though we can not confirm with complete certainty, it is likely that the recent issuance of this certificate and the registration of the domain indicate this was done specifically for phishing campaigns.

Phishing domain's certificate:

Legitimate domain's certificate:

Email Header Analysis

One of my favorite tools is MXToolbox, we can copy and paste our email headers to extract information from our email we believe is phishing. 

First we can see how this email was received by my email provider Google. The header first tells us how Google servers receiving the email and the internal path the message took to get to my inbox. Next we see where the email was originally sent from giving us is a Google registered IP address indicating the sender used Gmail services to send this email to us. This is benign since legitimate and adversaries use Google services and infrastructures and their IP address blocks can not be attributed to a single person, organization, etc.

Let's take a look at the integrity checks built into email security:

spf=none
SPF informs us there is no record available, this means that the domain has no record for SPF. Which means any mail server can spoof the domain without triggering SPF failure, in this case Google Mail servers.

dkim=pass header[.]i=@evernowcareers-com[.]20230601[.]gappssmtp[.]com
Although DKIM passes it is on a suspicious domain that we believe is not actually owned by the real organization. The domain "gappsmtp[.]com" is used as a temporary relay domain which is used in Gmail and does not prove the sender of our email actually controls the domain.

Since this domain does not have any SPF nor DMARC records in its DNS, DMARC fails silently. Google by default omits the DMARC message in the Authentication portion of our email header since there is nothing for it to enforce. Without instructions from the domain, Google does not know how to handle SPF not existing and DKIM passing for the relay does not help in authenticating this domain. The abscense of both SPF and DKIM likely indicate that this domain was specifically registered to avoid email phishing detection mechanisms further solidifying our case that this email is malicious.

Reporting the Email

I am concluding that this email is indeed a phishing email, due the following characteristics of this email:

1) Vague enticing email in promise of a career change
2) No high-ranking staff member with online presence with that name
3) Domain typosquatting
4) Newly registered domain
5) Newly issued certificate
6) No matching information with domain registrars and certificate issuers to real domain
7) Missing SPF rules and DMARC policy on DNS record

Steps to report this email I have taken. It is important that if you are facing phishing email on your organization's email service to notify your internal security team to assist you with containment of a possible phishing email campaign targeting your company. Unfortunately I was unable to submit to PhishTank due to their registration being closed at this time. I instead sent an email to OpenPhish.com with the URL of the domain and reported the domain to Google's Safe Browsing Report page
 

Personal Email:

1) Do NOT reply or engage with the adversary
2) Forward the email to the impersonated company
3) Report as phishing using Google's report features
4) Submit IoCs to lists like PhishTank, OpenPhish, Google, etc.
5) Forward email to real organization informing them of impersonation of their brand

Employee Email:
1) Block domain to your DNS servers, sinkholing their domain
2) Add domain to email gateway to block this domain
3) Add this domain to your existing IOC or Threat Hunting domain list
4) Alert any internal users who received the message 
5) Remove emails in user's inbox containing this domain
6)Contact the real organization to inform them of potential impersonation

This phishing email had all the right pieces to look convincing. A professional tone, a logo, and even a real job title, but when we dug deeper, it started to fall apart. From a suspicious domain, newly issued TLS cert, missing SPF and DMARC records, all the signs were there. It’s a good reminder that no matter how polished something looks, a little curiosity and technical digging can reveal the truth. If something feels off, trust your spidey-SOC-tuned senses and investigate.

Comments

Post a Comment

Popular posts from this blog

Common SPL Commands

Image
  NOTE: I am using datasets provided by Hailie Shaw's " Splunk: Zero to Power User " Udemy course. My results will vary from your own test and live production datasets. Do not perform the queries in this article on equipment and services you do not own, have permission, or do not fully understand what the query does. Common SPL Commands Here are some command SPL commands that you will typically use in your queries to narrow down events in your searches.  Source:  SPL2 Command Quick Reference stats           Calculates aggregate statistic over the incoming search results set. eval             Calculates an expression and puts the resulting value into a search results field. table           Displays selected fields in a table format rex               Command to ...
Read more

Endlessh: SSH Honeypot Analysis

Image
This lab we will use Kali Linux, tcpdump, netcat, NMap, Wireshark, and Hydra. We will be analyzing traffic being sent to a server running endlessh, a honeypot service to thwart or delay automated scans and (possibly) bruteforce SSH attacks.  Purpose:  1) Assess what endlessh is successful at doing 2) Confirming what are its limitation in thwarting attacks 3) What an adversary would face 4) What we could implement in substitute or in addition to further dissuade threats to our network. Skeeto's Github repo of Endlessh Part 1: Set up our victim server Part 2:  Set up Honeypot service Part 3: Attacking and Analysis  Part 4: Closing Notes
Read more

Creating your first Ansible Environment

Image
Lets create our first Ansible environment! Why Use Ansible? Ansible is a systems automation tool that makes IT management easier, in homelabs, and organizations. One of its main benefits is that it automates repetitive tasks for services and Operating Systems. This not only saves time but also reduces the chances of human error, which is crucial when maintaining security and compliance. Ansible is also scalable, meaning it can manage a few servers or thousands without hassle. This allows you to focus on more strategic tasks rather than getting bogged down in manual configurations. The tool uses a simple YAML syntax that is easy to read, making it accessible for everyone on your team, regardless of technical skills or experience. Another advantage is that Ansible doesn’t require agents to be installed on your servers, which simplifies security management and baselining. Fewer components means less complexity, less overhead, and fewer vulnerabilities. How to Get Started with Ansible To g...
Read more