[ALERT!!!] Phishing Campaign Forensics Review
oussama ben hadj dahman
Cyber Security Expert @Honoris |CO-FOUNDER COINER IMPACT | ISO 27001 Lead Implementer |SC-900|AI-900| CPT| CDFE | CC ISC2 |DFE| cyber security instructor
Incident Overview
In the past week, I received numerous calls from various sources, all reporting suspicious emails that raised red flags. Then, I personally encountered a similar email format, which immediately caught my attention and prompted a deeper investigation.
It all began with the arrival of an email to [email protected] from the Mail Delivery Subsystem at Google. The email reported that a delivery attempt to [email protected] had failed. The failure was due to the fact that the recipient address could not be found, suggesting the email address either does not exist or is currently inactive.
Key Findings
1. Source of Email
- The email originated from mail-sor-f65.google.com, with the IP address 209.85.220.65.
- Google’s SMTP servers processed the email, and both DKIM and SPF records passed authentication, confirming the email's legitimacy.
2. SMTP and Delivery Path
- The email was routed through multiple servers within Google’s infrastructure, beginning from mail-sor-f65.google.com and terminating at the intended mailbox [email protected].
- SPF validation returned a "none" result, meaning the sending domain ([email protected]) had no SPF policy in place, but the DKIM signature from googlemail.com passed, ensuring the email’s integrity.
3. Failure Reason
- The delivery failed because the email address [email protected] could not be located.
- Google provided an error message: "The email account that you tried to reach does not exist."
4. Security and Integrity
- The email had valid ARC-Seal, DKIM, and ARC-Message-Signature headers, verifying its integrity and authenticity during transmission.
- The DMARC policy was enforced (p=QUARANTINE), indicating a robust security policy to prevent spoofing from Google domains.
5. Content Analysis
- The body of the email contained a notification that the address [email protected] was unreachable.
- A link to Google's support page was provided for further information: [Learn more](https://support.google.com/mail/?p=NoSuchUser).
Attachments
- icon.png: An image file was attached to the email and referenced within the HTML content. Initially appearing as a simple error icon, further investigation revealed that this image triggered the following HTML code:
<center>
<a href="mailto:[email protected];[email protected];[email protected];[email protected];[email protected];[email protected];[email protected]?subject=Signalez+cela." target="_blank">
<img src="https://ci3.googleusercontent.com/meips/ADKq_NZXnsztNtjClaYn-mOsN_OgOJwcZDzoFUN4sxLRzudR7WuAXLjxoV9PltE4Ybp5OgPmXHfr1fyDoAKPC3QYICeXqpea8sDpSklO0gb7JEJums4=s0-d-e1-ft#https://_xdtmegdjwwtcfyob-.orange.uk.com/img/QnQLLzcStZB5Jzoc" class="CToWUd" data-bit="iit"></a><br><br>
<img><br><br><br><br><br>
<img><br>
</center>
This suggests that the icon.png was a disguised vector for potentially malicious actions. It contained an embedded link referencing suspicious email addresses and domains.
领英推荐
Possible Attack Vectors
1. Phishing Campaign:
- While the email passed Google’s security checks (SPF, DKIM, DMARC), the HTML content linked to suspicious email addresses and third-party domains like bluefineq.uk.com and arsvis.uk.com, indicating a phishing attempt.
- The embedded <img> tag is used to hide tracking elements or redirect users to potentially malicious websites.
2. Data Harvesting:
- The mailto link included in the HTML references multiple email addresses, possibly attempting to collect user responses. This could lead to further phishing attacks or attempts to compromise personal information.
3. Obfuscated Tracking or Malware Delivery:
- The image URL points to a Google content delivery system (ci3.googleusercontent.com), which can be a legitimate service but could also serve as a redirect to a malicious domain (`orange.uk.com`). This technique is often used in phishing or malware distribution.
Recommendations
- Block Suspicious Domains and Emails:
- Block the email addresses and domains found in the embedded link (e.g., bluefineq.uk.com, arsvis.uk.com, orange.uk.com) across your organization’s email systems to prevent further phishing attempts.
- Investigate the Icon.png Further:
- Conduct a detailed scan of the icon.png file using advanced malware detection tools to identify any hidden payloads.
- User Education on Phishing:
- Raise awareness among users about the dangers of seemingly legitimate emails from system administrators, especially when they include hidden links, attachments, or suspicious HTML code.
- Monitor Email Traffic:
- Continuously monitor incoming emails for signs of repeated phishing attempts or suspicious activity, particularly those involving similar domains or email addresses.
Conclusion
The email initially appeared to be a legitimate delivery failure notification from Google's Mail Delivery Subsystem. However, further investigation revealed that the attached image icon.png contained malicious HTML code that linked to multiple suspicious email addresses and potentially dangerous domains. While no immediate damage was detected, this incident highlights the importance of reviewing even seemingly legitimate emails for hidden threats.
Immediate actions should be taken to block the malicious email addresses and domains, and further analysis of the icon.png file is warranted to ensure no additional security risks are present. Continued vigilance is recommended to prevent future phishing attacks.
Networking student ||cyber security Enthusiast
1 个月Phishing tactics are getting clever! Thanks for sharing ??This is a great reminder that even the simplest attachments can be dangerous. We need to be extra cautious!