This blog was originally published by Cybaverse here

Unveiling Phishing Emails: A Guide to Manual Analysis and Free Tools

Phishing emails have become increasingly sophisticated, posing significant threats to individuals and organisations alike. But fear not, with the right tools and knowledge, you can decipher and analyse these deceitful messages to safeguard yourself against potential cyber-attacks. Let’s delve into the essentials of manual phishing email analysis and explore some invaluable free tools to assist you along the way.

Understanding the Phishing Landscape

Before diving into analysis, it is crucial to grasp the several types and techniques employed by cyber criminals. From reconnaissance and credential harvesting to social engineering and whaling, phishing comes in many forms, each with its own set of tactics and objectives. Identifying the type of phishing can provide valuable insights into the attacker’s intentions and potential risks.

Collecting Email Artifacts

To begin your analysis, you will need to gather essential artifacts from the phishing email. These include sender details, subject lines, recipient addresses, reply-to addresses, and timestamps. Start by downloading the email, then you can use a text editor like Sublime Text to extract these artifacts from the email body. Uncovering the sending server’s IP address (by using the same method above) and performing a reverse DNS lookup (by using Reverse IP Lookup by MXToolbox ) can offer valuable clues about the email’s origin and legitimacy.

Alternately, for a simpler approach, tools like MXToolbox’s Email Headers Analyzer provide a user-friendly interface for extracting and analysing email headers. By pasting the email header into the tool, you can quickly access information without the need for manual extraction.

Examining File Artifacts

If the phishing email contains attachments, it is crucial to examine these files for potential threats. Obtaining the file’s hash, such as SHA256, by using ‘get-filehash’ command in PowerShell for Windows and ‘sha256sum’ command in Terminal for Linux, enables you to conduct further research on its reputation and integrity. Tools like VirusTotal offer free hash analysis services, scanning uploaded files for malware and sharing insights with the security community. By leveraging these tools, you can assess the risk posed by email attachments and take appropriate precautions.

Investigating Web Artifacts

Malicious URLs are a common tactic used in phishing emails to deceive recipients. However, clicking on these links can lead to unintended consequences. Instead, utilise web artifact analysis tools to examine URLs without risking exposure to potential threats. Platforms like URLscanURL2PNGWhois Lookup,Hybrid Analysis and VirusTotal allow you to visualise and assess the legitimacy of URLs, providing valuable insights into their reputation and potential hazards.

If you are still not 100% sure, you can check URLhaus, a database with the goal of sharing malicious URLs that are being used for malware distribution.

To Sum Up

Manual analysis of phishing emails can be a daunting task, but with the right tools and techniques, you can effectively identify and mitigate potential threats. By understanding the phishing landscape, collecting essential artifacts, and leveraging free analysis tools, you can enhance your cyber security defences and safeguard against malicious attacks. Remember, vigilance and education are your strongest allies in the ongoing battle against phishing threats. Stay informed, stay cautious, and stay secure.

Published by Silvia Cardascia, Cybaverse