How to Detect Phishing: A Simple Guide to Email Safety

By Ava McKinneyOnline Safety

Defusing Your Inbox: A Simple Guide to Detecting Phishing

Phishing is one of the most common attack vectors and a popular form of social engineering. That’s not surprising—after all, we use email every day. In this article, we’ll break down real examples of phishing emails and show you how to spot the hidden dangers within them.

Analyzing Email Headers

An email consists of three parts: the header, the main body, and sometimes attachments. The header contains routing information about the message, as well as other details like content type, sender and recipient data, date received, the sender’s absolute address, the mail server address, and the real email address from which the message was sent or received.

Important Headers

  • Return-Path: This field contains information about the delivery status. Mail servers use it to process undelivered or returned emails. The recipient’s server checks this field to identify “fake” emails by comparing the sender’s domain’s authorized IP addresses with the message’s actual IP. If there’s no match, the email is sent to spam.
  • Received: Shows information about all servers the email passed through. The last entry is the original sender’s address.
  • Reply-To: The email address used for replies. In fake emails, this may differ from the sender’s address.
  • Received-SPF: SPF (Sender Policy Framework) confirms that messages from a domain are sent from a server controlled by the domain owner. If this field says “Pass,” the source is considered authentic.
  • DKIM: DKIM (Domain Keys Identified Mail) marks outgoing mail with an encrypted signature in the headers. The recipient’s server decrypts it using a public key to ensure the message wasn’t altered in transit.
  • X-Headers: These are experimental or extended headers, usually added by the recipient’s email provider. Fields like X-FOSE-Spam and X-Spam-Score help detect spam.

Let’s look at an example email header:

  • The Return-Path doesn’t match the “From” address, meaning undelivered emails will be returned to the first address.
  • The “Received” field shows the domain hiworks.co.kr (an email masking service), not gki.com, indicating the email is fake. The IP address (142.11.243.65) also doesn’t match gki.com.
  • The “From” address differs from the “Reply-To” address, so replies go to a @gmail.com address, not @gki.com.
  • The Received-SPF value is “neutral,” meaning gki.com neither authorizes nor forbids the IP address. Whois checks show the domain isn’t linked to the IP.
  • DKIM is “none,” meaning the email isn’t signed.

All signs point to this being a fake message. The extracted identifiers should be blacklisted.

Analyzing the Email Body

The body of a phishing email is the main part designed to trick the user. The content is often personalized and convincing, making it easy for victims to fall into the attacker’s trap.

For example, a phishing email about COVID-19 may pretend to be from a health insurance provider, containing information about a bill for insurance the victim supposedly ordered. The message may even include a line like “This email was checked by McAfee” to appear safe.

However, hovering over the “See Details” button reveals a link to OneDrive. Instead of clicking, copy and open the link in a browser (preferably in an isolated environment like a virtual machine or a cross-browser testing service such as Browserling).

The link leads to an HTML page that redirects to another site, which mimics a Microsoft Excel online app and requests Office 365 credentials to download a document. Checking the domain shows it’s not owned by Microsoft, and entering any credentials simply sends them to the attackers. Eventually, a fake PDF invoice is displayed, but by then, the victim’s login and password have already been stolen.

Analyzing Attachments

Email attachments often include Microsoft Office documents or PDFs, which cybercriminals use to deliver malware. They embed VBA (Visual Basic for Applications) or JavaScript code in these files and distribute them via phishing emails.

Word Document Analysis

Let’s analyze a suspicious Word document containing a VBA macro. Since Office 2007, macros require user permission to run, so attackers use social engineering to trick victims into clicking “Enable Editing.”

File name: PR_Report.bin

Tools needed: Oletools, Yara, Didier Stevens Suite, Process Monitor, Windows Network Monitor.

  1. Analyze file properties: Use the file command in Linux to check the file type. In this case, it’s a Microsoft Office Word file.
  2. Apply Yara rules: Yara identifies and classifies malware based on signatures. The rules detect OLE files and embedded PE files (MZ signature).
  3. Extract document content with oledump.py: OLE files contain data streams. Streams marked “M” may contain macro code; “O” indicates an object.
  4. Extract VB script from the macro: The code includes functions to save and copy files, and to execute hidden commands that launch a file and send a ping to localhost.
  5. Extract file from OLE object: Use oleobj to extract the embedded file, which is saved in the working directory.
  6. Get static info from the extracted file: The extracted file is a PE32 executable for Windows. Use pecheck.py to confirm.
  7. Behavior analysis: Run the file in a Windows 7 32-bit virtual machine with Apate DNS and Network Monitoring enabled. The file creates a process, attempts to connect to C&C servers, and modifies registry keys related to internet settings, disabling the browser proxy. This confirms the document is malicious.

PDF Document Analysis

PDFs are collections of objects that describe how pages are displayed. Attackers often send malicious PDFs via email, which may run JavaScript in the background or save embedded executables when opened.

A PDF consists of a header, body, cross-reference table, and trailer. The header contains version info; the body contains objects and data streams; the cross-reference table points to each object; the trailer points to the cross-reference table.

Example file: Report.pdf

Tools: Didier Stevens Suite, Peepdf, Process Monitor, Microsoft Network Monitor.

  1. Scan the PDF with PDFiD: This tool detects JavaScript, embedded files, and auto-actions. The presence of these elements suggests the PDF contains JavaScript or Flash, and possibly embedded files.
  2. View object contents: Use pdf-parser.py to find JavaScript objects. In this case, the script launches a file named “virus” every time the PDF is opened.
  3. Extract embedded file with peepdf: Peepdf’s interactive mode helps locate and extract the embedded file, which is a PE executable (MZ signature). Save the stream as virus.exe.
  4. Behavior analysis: Run the file in a Windows 7 32-bit virtual machine. The executable creates suspicious processes, modifies the Windows firewall, and launches batch files. This confirms the PDF is malicious.

Conclusion

This article covered how to spot signs of phishing in emails and how this process helps prevent unknown threats. We identified key areas to check, learned how criminals hide malicious URLs in email bodies, and what steps to take to verify them.

How to Protect Yourself:

  • Never trust the sender of an email by default. Always verify key identification details before replying.
  • Don’t click links or open attachments if the sender isn’t who they claim to be.
  • Attackers often use random domain names. Carefully check website addresses for “typos”—they may be specially registered to mislead you.
  • Double-check the origin of a site before entering personal data—name, address, login credentials, financial info, etc.
  • If you realize you entered your credentials on a suspicious site, change your password immediately.

Leave a Reply