Phishing remains the most common Initial Access tactic in the Cyber Kill Chain. For a CTI analyst, the ability to dissect a malicious email is a daily requirement.
Analysis is typically divided into three layers: Header Analysis, Body/URL Analysis, and Attachment Analysis.
1. Header Analysis
Email headers contain the routing information of the message.
- Return-Path: Where bounce messages go. Often reveals the true sender.
- Received: The chain of servers the email passed through. Read from bottom (origin) to top (destination).
- X-Originating-IP: The IP address of the sender.
- Authentication Checks:
- SPF (Sender Policy Framework): Is this IP authorized to send email for this domain?
- DKIM (DomainKeys Identified Mail): Was the email modified in transit?
- DMARC: What should happen if SPF/DKIM fails?
2. URL and Body Analysis
Attackers often use "Typosquatting" (e.g., microsft.com instead of microsoft.com) or HTML masking.
- Technique: Hover over the link without clicking to see the actual destination.
- Tooling: Use OSINT tools like urlscan.io to inspect the landing page safely.
3. Attachment Analysis
Attachments often contain the payload (Malware).
- File Extensions: Watch out for double extensions (e.g.,
invoice.pdf.exe). - Macros: Office documents often use VBA macros to download malware.
- Safety: Never open a suspicious attachment on a host machine. Use a dedicated Sandbox or Virtual Machine.
Note: Phishing indicators (Sender Email, Subject Line) are ephemeral IOCs and change frequently. Focus on identifying the underlying TTPs.