One of the most common incidents I deal with as a cyber security analyst is malicious emails, or malicious email campaigns. With most secure networks (at least the ones I’ve worked on) the network is pretty much a secure environment in the sense that people can’t just penetrate your defenses and come into the network and start doing what they want. But think of the perimeter of your network as a kind of bubble, a bubble in which you can reach out and pull things back in from, but is otherwise very difficult to get through.
Now think of the employees of the company you are working for as greedy little monkeys eager to reach out and grab anything they can outside of that bubble. As an analyst I have a mental image of the users of my network frantically opening emails and clicking on every link they can get hold of!
So lets take a very common and basic example of somebody reporting to us that they have received an email, they think it looks suspicious and they are unsure of whether or not they should open it. This happens about ten times a day in my company. This can be tedious when it’s junk mail, but occasionally the users reporting these emails will alert us to an email phishing campaign that is just beginning.
A few things I am looking for when an email like this is reported and then I will go into more detail for each one.
1.Who is the sender reported to be? (this may not be the actual sender which I’ll get to in a minute)
2. What is the subject line of the email? This allows me to look at the rest of the email and see if the email actually makes sense, getting some context if you will. Spelling mistakes and badly worded English are a big give-away in the subject line (and the rest of the email for that matter)
3. Are there any links or attachments in the email? If there are no links or attachments the real danger is that the email could be the beginning of a social engineering attack. If there are links or attachments, the danger could be more immediate.
4. If there are links, do they make sense within the context of the email? To be honest, if someone has taken the time to report an email I’ll usually check out the link of an email anyway unless its something obviously non malicious like google.com
5. If there are attachments, I will usually run these through open source intelligence sources such as virustotal.com and hybrid-analysis.
A PERFECT SCENARIO:
Instead of going through all these points as hypothetical situations, lets imagine one situation that ticks all the boxes. An email comes in, the sender is from a company we deal with, lets say email@example.com. The subject line is “Your Invoic is ready” (the spelling mistake is intentional on my part by the way). There is an attachment called “Invoice123.pdf” and contained within the email is a link to “imaginarylink.com”
Let me take you through, pretty much how I would investigate this incident. Although some details will differ slightly just so I can fully cover all the points. Also note, the steps here are to determine the danger posed by the email, the steps taken to protect against it will be in the following post.
Who is the sender reported to be? In this case, it is firstname.lastname@example.org. But is that the real sender? Assuming I am using office Outlook I can find this out by clicking file, and then properties which will display the internet headers of the email. In case your freaking out already with “TECH” alarm bells ringing in your head, do not fear, I will keep this simple. Within the internet headers are fields such as (from, received from, sender, envelope sender, reply to, return path, sender IP) all of which can give you clues as to who really sent this email. In some cases though, email@example.com has been compromised, and the attacker is using his email address to trick you into opening his malicious email. So if the sender really is who you think it is, that does not mean we are clear just yet. Lets assume for our scenario the sender really is firstname.lastname@example.org.
2: Subject line
The subject line in this case rings alarm bells for 2 reasons, one is the spelling mistake, which can happen but it happens often in malicious emails. The other is the mention of an invoice. Anything that could scare a user into opening an email is a red flag, and in the case of the word “invoice”, the user is worried they or someone else has paid for something using their details that they are unaware of. So we have our first red flag but this is still not conclusive, as legitimate emails also contains the work invoice in the subject and spelling mistakes can happen.
They had my curiosity, now they have my attention. The first thing I do with the link is run it through a web reputation website such as symantec sitereview. This gives me a good idea if this website has been used to host malware or virus’s or is a fake website designed to trick people into entering usernames and passwords.
If the website (or URL ) is not known to be malicious by a web reputation website, that does not necessarily mean it is clean. It might be a newly compromised site that is not yet known about. In case of this you can run the website through a scanner such as urlscan.io to get a better idea of what this site is doing and make a better decision for yourself if the link is malicious or not. For our scenario lets say that the URL reputation website gives our link a rating of “categorized” which basically means, it doesn’t know anything about it. However, when searching the URL in virustotal.com we can see a couple of vendors have reported this website as a phishing website…the plot thickens.
If there are any attachments you can usually obtain the SHA256 (Like a unique fingerprint) for the file from your email protection system. Using the SHA256 you can search to see if this file is already known about by the wider community by searching in virustotal.com and hybrid-analysis among others. If no information is already available you can carry out your own analysis using tools such as cuckoo, or if you have no tools available some free sandbox analysis tools are available over the internet. Lets say, when searching in virustotal.com this attachment also comes back with a few vendors saying “phishing”. (to see this in real life go to virustotal.com and search “4e1b3d2b8f0f849ff4362ee3b8328fc0ffb6e78fadb112e3c020681ad0a593b0” to see what this looks like)
Using the steps laid out above you should now have a good idea whether or not the email is in fact malicious, which it appears to be a phishing attack, and have built up a good amount of intelligence ready for the mitigation stage of the incident. See the next post for how to mitigate against this attack.