Passive Investigation - Analyze email headers

Use Case

There is far more to emails than meets the eye. The subtopic will teach you how to analyze the extensive metadata which documents an email’s origin, the servers it traveled through, information about possible spam checks, and much more. This metadata can form a crucial part of any in-depth investigation into potentially malicious emails.

Use this skill after or alongside the Triage subtopic within this learning path. Some of these skills may be necessary as part of the triage process in order to decide if a message is suspicious.

Since email headers can contain references to other domains and infrastructure, practitioners should first be familiar with Subtopic 4, which looks at analyzing domain and IP info, prior to tackling this one.

Objectives

After completing this subtopic, practitioners should be able to do the following:

• Extract full headers from an email that they have received or are analyzing;
• Analyze the extracted headers, paying particular attention to
  • The identity of the server or servers which sent the email;
  • Any information about SPF or DKIM data which those headers contain;
  • The possibility that any of the information in the header was spoofed

Every email has headers, which contain crucial metadata about the sender, recipient, and email itself. In this section, we will look at email headers, how you can analyze them, and how emails could be spoofed. This requires some background knowledge

Foundation Knowledge

Read the resources and documents below to familiarize yourself a bit with (or recap your knowledge on) email headers, SPF, and DKIM.

• Understand what email headers are and how we can view them in multiple systems
• Understand the basics of email spoofing and using SPF and DKIM to combat it
  • Learn about email spoofing / learn to identify spoofed emails
    • https://docs.sendgrid.com/glossary/spoofing
  • Learn about the Sender Policy Framework and how it aims to prevent sender address forgery.
    • Use dig / doggo to lookup a valid SPF record (you can do so by running the dig command with the txt argument), analyze its content (see here for a guide) and answer the following questions.
      • What is the SPF version used?
      • Which domains are authorized email senders for the domain?
      • Which mechanism (or policy) was used for all “other” senders?
      • Are there any other mechanisms (or policies) defined in the record?
    • Use https://mxtoolbox.com/spf.aspx to conduct a lookup and test on an SPF protected domain. You can look up the records for your own organization, for example, by checking its main domain.
  • Learn about DomainKeys Identified Mail (DKIM) and how, as an authentication standard, it is used to prevent email spoofing.
    • https://docs.sendgrid.com/ui/account-and-settings/dkim-records
    • Use https://mxtoolbox.com/dkim.aspx to conduct a lookup on a DKIM authenticated domain. You can look up the records for your own organization, for example, by checking its main domain.
• (Advanced) Familiarize yourself with various techniques and mechanisms spam filters use to identify spam / spoofed emails.
  • Look at the list of available modules (and selectors) supported by RSPAMD https://rspamd.com/doc/modules/

Main Section

Analyzing headers

The Nebraska GenCyber Team created a quick and relatively comprehensive course on email headers : we recommend it to all who want to learn about the topic.

As you analyze headers, you will learn quite a bit about the different domains involved in setting up the email. Once you have a list of those domains, you can use the same tools we used in the previous section (dig, whois, geoIP, and others) to learn more about them.

Systems administrators who use workplace domains such as Google Workspace and Microsoft 365 often have access to powerful logging and log search tools: they can use those to search their systems for identifiers which were found in email headers (such as suspicious domains), which can help them figure out who, if anyone, has been targeted in their organization. See Google’s and Microsoft’s documentation on searching through logs. Do note that those search features are usually restricted to business or enterprise accounts.

Practice

After reading through all of the materials in the Nebraska GenCyber email header analysis course, do the exercises linked therein. The site has a link issue, with the exercises often being unavailable directly on it, but they can also be downloaded here.

Skill Check

Find an email in your inbox or spam folder. Alternatively, ask for a peer or mentor to send you the headers of an email which they have recently received. Analyze the headers of the email using the same techniques as were outlined in the practice exercise, including by loading them in the Google Admin Toolbox Message Header tool. Then, answer questions 1, 2, 3, and 5 outlined in the investigation section of the Nebraska GenCyber email header analysis course, this time using the headers from the email you found rather than the email attached to the course.

Learning Resources