وحدة 6
Active Investigation - Analyze malicious emails
آخر تحديث في: 23 أغسطس 2024
تعديل هذه الصفحة على GitHubوحدة 6
آخر تحديث في: 23 أغسطس 2024
تعديل هذه الصفحة على GitHubThis module will teach you how to interpret and understand malicious emails and find the infrastructure that they link to. Whether they be pure social engineering, phishing, or malware delivery, malicious emails can be quite complex. While the immediate goal of this skill is to identify attacker infrastructure, these advanced skills of reversing complex emails are also good preparation for understanding attacker campaigns, and they are a good introduction to analyzing more complicated malware. Some of those techniques can also help you analyze suspicious messages sent through other mediums, such as WhatsApp.
Note that during active investigation, you may have to perform actions that will alert the attacker to the investigation (or at least that someone is interacting with their trap). Consider whether or not this is an acceptable cost to completing an investigation.
It is best to do this type of analysis from a virtual machine or dedicated device. For added protection, it might be a good idea to use a reputable VPN so that your IP address does not leak out when you are conducting an active investigation.
This module deals with analyzing the body of a malicious email, whereas the Passive Investigation: Analyze email headers module deals with the header of the email. For proper investigations, you will want to use both skills. Note that analyzing the contents and behaviors of email attachments is covered in the Malware Analysis learning path.
After completing this subtopic, practitioners should be able to do the following:
In order to practice this , you need to understand the basics of HTML emails and MIME. If you feel it’s necessary to brush up on this topic a bit, see some of the resources on key topics below:
When investigating potentially malicious emails to discover attacker infrastructure, don’t just look for links and attachments. Attackers may include trackers in their emails, just like marketers do. This article for marketers explains how email tracking works. Note that any resource loaded from the web, not just images, can be used for tracking. Review the types of information which can be obtained through a tracking pixel or a tracking element, including IP (geolocation) and browser fingerprinting information. Internews created a training exercise (described in the practice section below) which will help you become more familiar with trackers and some of the information they can spot.
Once you understand the foundational concepts and potential threats, you need a workflow and tools for analysis.
Ask a peer or mentor to send you an email. Ideally, the email would contain several elements such as tracking pixels, attachments, and links which would benefit from an in depth analysis. Alternatively, go into your own inbox and pick out a (hopefully) non-malicious email. Use the skills used in this module to analyze it:
Discuss your answers to the above questions with your peer or mentor.
Introduction to HTML email
FreeA brief introduction to the concept of sending emails that contain HTML.
Introduction to MIME
FreeA brief introduction to the MIME format for messages.
How to include images in email
FreeAlthough this page is oriented towards email senders, it goes over the ways that attackers may embed images in their email.
Learn HTML
FreeMost phishing malicious emails use HTML to deceive users. In order to extract URLs (and thus server addresses) from emails, you will have to learn some HTML.
Intro to tracking pixels
FreeWhen investigating potentially malicious emails to discover attacker infrastructure, don’t just look for links and attachments. Attackers may include trackers in their emails, just like marketers do. This article for marketers explains how email tracking works. Note that any resource loaded from the web can be used for tracking.
VirusTotal
Free, with some rate limitations and additional pro featuresA tool to evaluate URLs and attachments for known malice. Note that submitted URLs and files can be accessed by other users.
Malicious email workflow
FreeA playbook for what to do when evaluating a suspicious email.
Exchange malicious email investigation playbook
FreeA playbook for investigating malicious emails in a Microsoft Exchange environment (where the investigator has admin access).
Example analyses of phishing emails, resource 1
FreeAnalyses of sample phishing emails. Includes a look at HTML files with embedded malicious scripts and encoded content.
Example analyses of phishing emails, resource 2
FreeAnalyses of sample phishing emails. Includes a look at HTML files with embedded malicious scripts and encoded content.
Example analyses of malware emails, resource 1
FreeSince malicious emails could exploit security holes within email programs, this guide shows how best to analyze them using command line tools and text editors.
Example analyses of malware emails
FreeSince malicious emails could exploit security holes within email programs, this guide shows how best to analyze them using command line tools and text editors.
تهانينا على انتهاء وحدة 6!
وسم المربع لتأكيد اكتمالك والمتابعة إلى الوحدة التالية.
يوسم الوحدة الحالية كمكتملة ويحفظ التقدم للمستخدم.
لقد أكملت جميع الوحدات في مسار التعلم هذا.