Evaluating a suspicious email.

A common first task for new security team members is to work reports of suspicious emails. At first glance this might seem like a straightforward task, but there are some nuances to be aware of.

For example, users will often report legitimate emails that they were not expecting. Sometimes links in these emails may be for sensitive business documents. If you submit one of those links a service that scans links, you might accidently expose that sensitive business document to anyone on the internet that is watching to see what people are submitting.

Here are some basics to guide a new analyst.

Rule 1

Don't click on a link or open an attachment unless you know what it is, or you have taken safety precautions. I personally only do this in a VM that I can trash once I'm finished. Not everyone has this luxury, but if you can, you should. I use a paid version of VMWare Workstation, but there are free versions of both Virtual Box and VMWare Workstation.

Rule 2

Never submit something to a service that will publicly list your submission unless you know it will not accidentally expose sensitive information. Instead, use services that will allow you to submit it truly privately or check it in your VM first.

Looking at a suspicious email

Eventually you will get to a point where you can glance at an email and be able to tell with greater than 90 percent accuracy whether it is a legitimate email, spam, or something malicious. This will come with practice and experience. Until then, you can follow these basic steps.

Visually inspect the email:

  • Does the sender match the email signature? Sometimes the display name matches but the email address itself doesn't.
  • Is there a link? Does the domain look funny? Maybe the TLD is a country you don't do business. Or maybe it's a Microsoft login that doesn't use a Microsoft domain. Maybe the link just doesn't seem to fit with the rest of the email body.
  • A common tactic in phishing emails is to hide the link behind a picture. Often the picture will look like a PDF icon or similar to try to hide what link the user will click on.
  • Another common tactic to be aware of are decoy documents. There might be a PDF with a link to a "secure message," or an HTML document that when opened will present as a Microsoft login page, or an entire second email attached as an attachment.

There are some other things you can also do, like checking the email headers, but I'd offer that this is starting to get a little too technical for a lot of brand new analysts. Once you have the basics down come back to more technical things like understanding how mail hops work.

Safely inspect URLs:

  • Open the URL inside a VM, interact with it, and take note of any redirects. If you are comfortable with it, use developer tools (F12) to inspect any get or post that happens from interacting with a form. But remember, never submit real information. Instead type fake information, such as asdfasdf@afdadf.com with password afdasfadsfa.
  • Submit the URL to a service that will scan it, but also keep your submissions private. A good example is urlscan.io. You can sign up for a free account and then submit a limited number of URLs as "Private." Note: "Unlisted" scans don't mean what you think they do so make sure you read their documentation before using that option! Also, be aware that the "Live" scans page often contains NSFW content, but you don't get the disclaimer about this until after you already have the page, and the NSFW content, displayed on your screen.
  • If neither of those options are available you could get away with browsing the link from your production computer if you have JavaScript disabled, such as by using NoScript, but it's really better to not get into this habit.

If you aren't comfortable with developer tools you can often get a lot of good information by just watching the browser address bar. Eventually you will probably move on to using even more advanced tools and techniques, such as using a tool like Fiddler to proxy and inspect the web traffic.

Safely inspect attachments:

  • Calculate the file hash and search services like Virus Total, Hybrid Analysis, Any.Run, Alien Valut OTX, or Tria.ge to see if the file is known to be good or bad. On Windows you can easily get a file without installing or using any special tools by using certutil. From CMD do the following command: certutil -hashfile <file name> sha256. Tip: Sometimes for someone new it can be daunting to know the file path to use for <file name>. If you use Windows File Explorer to browse to the directory where the file is, you can open CMD in that directory by clicking into the file path bar and replacing the contents with CMD. For example, if the file is in Downloads, the file path for Windows File Explorer will say something like "> This PC > Downloads." Click and replace that with CMD and hit enter.
  • Open document from inside a VM, interact with it, and take note of any links and link redirects.
  • Submit document to a private sandbox service, such as one your organization pays for. Even when submitting to a private sandbox service, change the name on your submission to something generic, like "sample," so as not to expose things like account numbers or customer names. Be aware that some services, such as Virus Total, will let security researchers download your submissions, even if the regular free users cannot.
  • If after doing a combination of any of the above you are still not sure about an attachment, ask for help! It's how all of us learn and a senior colleague might have some cool tricks or tools they can show you.

Inspecting attachments is a big topic area by itself with lots of approaches and tools to aid you. Put a pin in it and come back to it when you are ready for some additional challenges.

What if you just don't know?

Sometimes this happens. For me this happens a lot with emails from legitimate secure messaging services like Mimecast, Proofpoint, or even just Microsoft Outlook's native email encryption. You know the service itself is legit, but you have no idea what the actual message is to know if it is safe or not.

When this happens, I recommend talking to the person that reported the email. Do they normally get emails like this from this sender? Were they recently working with this sender and waiting for them to send them something?

If in doubt the best course of action is for the email reporter to pick up the phone and call the sender at a known phone number. Don't call the phone number in the signature of the suspicious email because it might not be the real number. Also, don't reply to the email, because if their account has been hacked the hacker will sometimes email back trying to convince you to trust them.