Capture-the-flag exercise

There are multiple ways to view what the email would look like to the recipient. The most straightforward way is to open the file in a mail client, which is what we have done in the below examples. However in the context of a targeted threat this can be a bad idea, in case the file contains scripts which can exploit email clients, collect information about the device, or load external resources (like /media/uploads/tracking pixels) which disclose your IP to the attacker. In the case of this walkthrough it is safe to open the EML in your email client, however for live work consider some alternatives:

• Use an email client in a virtual machine which can be rolled back to a safe snapshot
• Open the file in a text editor and read the HTML content directly
• Rename the file to .mht and open in a web browser (consider using a sandboxed machine and connecting to a VPN to avoid IP collection from tracking pixels)
• Use an online service such as https://www.emlreader.com/ or https://www.encryptomatic.com/viewer/ to render the email. MXToolBox’s email header analyzer https://mxtoolbox.com/EmailHeaders.aspx (used later in this walkthrough) will also render HTML content if you include it in the pasted headers.
• Using an eDiscovery tool which can render EML files
• Self-host your own service to render EML files, such as https://github.com/xme/emlrender

In this walkthrough we will just open the email (paypal.eml) in an email program

As we look into the email, we see the visible sender email address

Here are some key trigger points to watch out for in a phishing email:

• Sense of urgency
• Weird opening, does not address you by name
• Grammar errors
• The sender address or URLs within the email are obfuscated or do not match the website the email claims to be from

You can defang a link in a text editor. Here we will use CyberChef to defang the URL as we will use CyberChef for other steps as well. CyberChef is a web application with a huge number of functions which can help you with analyzing security-related data. Here’s a very brief introduction to its layout and functions.

As part of this exercise, play around with CyberChef and defang the “please confirm” link from the attached email.

First, we copy the hyperlink from the email.

Then, we take the “Defang URL” input from CyberChef and drag it into the “Recipe” section

Once we’ve pasted the URL into the input section in CyberChef, it will automatically output a defanged version thereof.

You can use a ‘recipe’ – or a series of connected steps –in CyberChef to carry out a more complex analysis. To obtain and defang all the URLs in the message, all you need to do is run a recipe with the “extract URLs” and “defang URLs” workflows and paste the full content of the email (copied from a plain text editor) as input. If you were to tick the “unique” checkbox under “extract URLs”, you will see that the results will differ from those from the screenshot, and it will only output a single URL, the same one you defanged above. The fact that there is just one URL, repeated many times, within the email is great news for us–it will make our analysis much more straightforward. \

For the next few questions, we will use VirusTotal. It’s an online service that acts like a security scanner for suspicious files and URLs. Think of it as a digital inspector. You can upload a file or provide a URL, and VirusTotal scans it with antivirus engines and website checkers from dozens of different security companies. It also performs some additional analysis. This gives you a quick overview of whether the file or website is likely to be malicious. It’s a valuable tool to help you identify potential threats before you open an attachment or click on a link. It also contains metadata about files which may be helpful. Here we will use the entry history to find out when a malicious indicator was first observed.

Paste the URL from question 4 into VirusTotal (this time, you need to paste the full URL, not the defanged version). Go to “details” tab and look at the URL capture history.

Also looking through the “details” tab in VirusTotal, look up the serving IP address.

Here we use a whois website to extract it

IP addresses are loosely tied to geographical locations, such as cities or districts. There are many online services where you can input an IP address and learn more about where it’s most likely located. While this type of check is not perfect and can sometimes make mistakes, it can nonetheless be an important part of malicious infrastructure investigations.

It’s worth comparing the information you receive from a whois lookup with that you receive from IP location searches. You might learn that the IP address you are trying to investigate belongs to a VPN provider or a big tech company such as Google–if this is the case, then you will not learn much from those investigations; the IP location will likely correspond to one of those companies’ server farms and might have little to do with the location of the person or entity you’re trying to investigate.

First, open the email using a plain text editor of your choice and copy its content. Then, paste them into the MxToolbox’s “Analyze Headers” tool

Once you press “Analyze Header”, you can see the return path

Go to the file “mx-toolbox-header-analysis”, look into the relay information section.

The address of the mail server

First hop: efianalytics.com 216.244.76.116

SMTP: 2002:a59:ce05:0:b0:2d3:3de5:67a9

In this exercise, you will encounter a string of text encoded in Base64. Base64 is a technique for transforming text that has many purposes, but in this case aims to obfuscate a string of text: the string is still there, it’s just saved in a way that cannot be easily spotted by the human eye or by a simple text search. If this is the first time in your work you’ve encountered Base64, it’s worth reading a little more about it and other obfuscation formats. Malware authors like to obfuscate some text strings within their programs using a technique such as Base64 in order to make it more difficult to analyze.

CyberChef can encode and decode Base64 text.

We open once again the code attached of the phishing page (.html)

we search for the victimID in the source code

Then we can paste the value we discovered into CyberChef. The tool has a magic wand feature which automatically detects and converts encoding–we could use that!

Yay! The magic wand detected that the input is encoded with Base64 and decoded it automatically, giving us the answer!