Module 5
Passive Investigation - Analyze email headers
Last updated on: 24 October 2024
Edit this page on GitHubModule 5
Last updated on: 24 October 2024
Edit this page on GitHubThere is far more to emails than meets the eye. The subtopic will teach you how to analyze the extensive metadata which documents an email’s origin, the servers it traveled through, information about possible spam checks, and much more. This metadata can form a crucial part of any in-depth investigation into potentially malicious emails.
Use this skill after or alongside the Triage subtopic within this learning path. Some of these skills may be necessary as part of the triage process in order to decide if a message is suspicious.
Since email headers can contain references to other domains and infrastructure, practitioners should first be familiar with Subtopic 4, which looks at analyzing domain and IP info, prior to tackling this one.
After completing this subtopic, practitioners should be able to do the following:
Every email has headers, which contain crucial metadata about the sender, recipient, and email itself. In this section, we will look at email headers, how you can analyze them, and how emails could be spoofed. This requires some background knowledge
Read the resources and documents below to familiarize yourself a bit with (or recap your knowledge on) email headers, SPF, and DKIM.
The Nebraska GenCyber Team created a quick and relatively comprehensive course on email headers : we recommend it to all who want to learn about the topic.
As you analyze headers, you will learn quite a bit about the different domains involved in setting up the email. Once you have a list of those domains, you can use the same tools we used in the previous section (dig, whois, geoIP, and others) to learn more about them.
Systems administrators who use workplace domains such as Google Workspace and Microsoft 365 often have access to powerful logging and log search tools: they can use those to search their systems for identifiers which were found in email headers (such as suspicious domains), which can help them figure out who, if anyone, has been targeted in their organization. See Google’s and Microsoft’s documentation on searching through logs. Do note that those search features are usually restricted to business or enterprise accounts.
After reading through all of the materials in the Nebraska GenCyber email header analysis course, do the exercises linked therein. The site has a link issue, with the exercises often being unavailable directly on it, but they can also be downloaded here.
Find an email in your inbox or spam folder. Alternatively, ask for a peer or mentor to send you the headers of an email which they have recently received. Analyze the headers of the email using the same techniques as were outlined in the practice exercise, including by loading them in the Google Admin Toolbox Message Header tool. Then, answer questions 1, 2, 3, and 5 outlined in the investigation section of the Nebraska GenCyber email header analysis course, this time using the headers from the email you found rather than the email attached to the course.
What are email headers?
FreeA good introduction to email headers. Highlights three important groupings of email headers. Includes a list of step-by-step guides for different MUAs.
Viewing full email headers
FreeHow to view email headers in multiple email systems (Gmail, Outlook, Apple Mail, Thunderbird, etc).
Checking SPF headers using the dig tool
FreeThis piece offers a quick guide on how to check SPF headers using dig, a tool installed on most Unix-like systems.
How to check and read a Sender Policy Framework record for a domain
FreeThis piece shows how to check SPF headers using nslookup, an alternative tool to dig, and describes how to interpret the results.
The Nebraska GenCyber Team course on email headers
FreeA comprehensive course on how to analyze email headers when investigating potential cases of phishing.
Exemples d'exercices pour le cours ci-dessus.
FreeExercices hébergés sur GitHub.
Checking email headers in Proton Mail
FreeA guide on how to check email headers in Proton Mail.
Viewing email headers on Zoho
FreeA guide on how to view email headers on Zoho.
Tools for analyzing email headers, part 1
FreeLinks to several tools which can extract and dissect email headers, crucial for any analysis of potentially malicious emails.
Tools for analyzing email headers, part 2
FreeLinks to several tools which can extract and dissect email headers, crucial for any analysis of potentially malicious emails.
Tools for analyzing email headers, part 3
FreeLinks to several tools which can extract and dissect email headers, crucial for any analysis of potentially malicious emails.
Tools for analyzing email headers, part 4
FreeLinks to several tools which can extract and dissect email headers, crucial for any analysis of potentially malicious emails.
Introduction to email spoofing, article 1
FreeSeveral articles describing email spoofing basics.
Introduction to email spoofing, article 2
FreeSeveral articles describing email spoofing basics.
Introduction to email spoofing, article 3
FreeSeveral articles describing email spoofing basics.
Evaluating 'Received' headers
FreeHow to use email headers to find the server that sent the email.
Analyzing potentially forged 'Received' headers
FreeHow to identify fake ‘received’ headers.
Looking at a potential phishing email's headers
FreeA closer examination of email headers in phishing messages.
Find messages with Email Log Search
Documentation free, tools only available to business & enterprise usersDescribes how administrators of Google business and enterprise accounts can monitor message logs.
Monitoring, reporting, and message tracing in Exchange Online
Documentation free, tools only available to enterprise usersDescribes how administrators of Microsoft enterprise accounts can monitor message logs.
Congratulations on finishing Module 5!
Mark the checkbox to confirm your completion and continue to the next module.
Marks the current module as completed and saves the progress for the user.
You've completed all modules in this learning path.