A common first task for new security team members is to work reports of suspicious emails. At first glance this might seem like a straightforward task, but there are some nuances to be aware of.
For example, users will often report legitimate emails that they were not expecting. Sometimes links in these emails may be for sensitive business documents. If you submit one of those links a service that scans links, you might accidently expose that sensitive business document to anyone on the internet that is watching to see what people are submitting.
Here are some basics to guide a new analyst.
Don't click on a link or open an attachment unless you know what it is, or you have taken safety precautions. I personally only do this in a VM that I can trash once I'm finished. Not everyone has this luxury, but if you can, you should. I use a paid version of VMWare Workstation, but there are free versions of both Virtual Box and VMWare Workstation.
Never submit something to a service that will publicly list your submission unless you know it will not accidentally expose sensitive information. Instead, use services that will allow you to submit it truly privately or check it in your VM first.
Eventually you will get to a point where you can glance at an email and be able to tell with greater than 90 percent accuracy whether it is a legitimate email, spam, or something malicious. This will come with practice and experience. Until then, you can follow these basic steps.
There are some other things you can also do, like checking the email headers, but I'd offer that this is starting to get a little too technical for a lot of brand new analysts. Once you have the basics down come back to more technical things like understanding how mail hops work.
If you aren't comfortable with developer tools you can often get a lot of good information by just watching the browser address bar. Eventually you will probably move on to using even more advanced tools and techniques, such as using a tool like Fiddler to proxy and inspect the web traffic.
certutil -hashfile <file name> sha256. Tip: Sometimes for someone new it can be daunting to know the file path to use for
<file name>. If you use Windows File Explorer to browse to the directory where the file is, you can open CMD in that directory by clicking into the file path bar and replacing the contents with
CMD. For example, if the file is in Downloads, the file path for Windows File Explorer will say something like "> This PC > Downloads." Click and replace that with
CMDand hit enter.
Inspecting attachments is a big topic area by itself with lots of approaches and tools to aid you. Put a pin in it and come back to it when you are ready for some additional challenges.
Sometimes this happens. For me this happens a lot with emails from legitimate secure messaging services like Mimecast, Proofpoint, or even just Microsoft Outlook's native email encryption. You know the service itself is legit, but you have no idea what the actual message is to know if it is safe or not.
When this happens, I recommend talking to the person that reported the email. Do they normally get emails like this from this sender? Were they recently working with this sender and waiting for them to send them something?
If in doubt the best course of action is for the email reporter to pick up the phone and call the sender at a known phone number. Don't call the phone number in the signature of the suspicious email because it might not be the real number. Also, don't reply to the email, because if their account has been hacked the hacker will sometimes email back trying to convince you to trust them.