[ALERT!!!] Phishing Campaign Forensics Review

[ALERT!!!] Phishing Campaign Forensics Review

Incident Overview

In the past week, I received numerous calls from various sources, all reporting suspicious emails that raised red flags. Then, I personally encountered a similar email format, which immediately caught my attention and prompted a deeper investigation.


Email Screenshot

It all began with the arrival of an email to [email protected] from the Mail Delivery Subsystem at Google. The email reported that a delivery attempt to [email protected] had failed. The failure was due to the fact that the recipient address could not be found, suggesting the email address either does not exist or is currently inactive.

Key Findings

1. Source of Email

- The email originated from mail-sor-f65.google.com, with the IP address 209.85.220.65.

- Google’s SMTP servers processed the email, and both DKIM and SPF records passed authentication, confirming the email's legitimacy.

2. SMTP and Delivery Path

- The email was routed through multiple servers within Google’s infrastructure, beginning from mail-sor-f65.google.com and terminating at the intended mailbox [email protected].

- SPF validation returned a "none" result, meaning the sending domain ([email protected]) had no SPF policy in place, but the DKIM signature from googlemail.com passed, ensuring the email’s integrity.

3. Failure Reason

- The delivery failed because the email address [email protected] could not be located.

- Google provided an error message: "The email account that you tried to reach does not exist."

4. Security and Integrity

- The email had valid ARC-Seal, DKIM, and ARC-Message-Signature headers, verifying its integrity and authenticity during transmission.

- The DMARC policy was enforced (p=QUARANTINE), indicating a robust security policy to prevent spoofing from Google domains.

5. Content Analysis

- The body of the email contained a notification that the address [email protected] was unreachable.

- A link to Google's support page was provided for further information: [Learn more](https://support.google.com/mail/?p=NoSuchUser).

Attachments

- icon.png: An image file was attached to the email and referenced within the HTML content. Initially appearing as a simple error icon, further investigation revealed that this image triggered the following HTML code:

<center>

<a href="mailto:[email protected];[email protected];[email protected];[email protected];[email protected];[email protected];[email protected]?subject=Signalez+cela." target="_blank">

<img src="https://ci3.googleusercontent.com/meips/ADKq_NZXnsztNtjClaYn-mOsN_OgOJwcZDzoFUN4sxLRzudR7WuAXLjxoV9PltE4Ybp5OgPmXHfr1fyDoAKPC3QYICeXqpea8sDpSklO0gb7JEJums4=s0-d-e1-ft#https://_xdtmegdjwwtcfyob-.orange.uk.com/img/QnQLLzcStZB5Jzoc" class="CToWUd" data-bit="iit"></a><br><br>

<img><br><br><br><br><br>

<img><br>

</center>        

This suggests that the icon.png was a disguised vector for potentially malicious actions. It contained an embedded link referencing suspicious email addresses and domains.

Possible Attack Vectors

1. Phishing Campaign:

- While the email passed Google’s security checks (SPF, DKIM, DMARC), the HTML content linked to suspicious email addresses and third-party domains like bluefineq.uk.com and arsvis.uk.com, indicating a phishing attempt.

- The embedded <img> tag is used to hide tracking elements or redirect users to potentially malicious websites.

2. Data Harvesting:

- The mailto link included in the HTML references multiple email addresses, possibly attempting to collect user responses. This could lead to further phishing attacks or attempts to compromise personal information.

3. Obfuscated Tracking or Malware Delivery:

- The image URL points to a Google content delivery system (ci3.googleusercontent.com), which can be a legitimate service but could also serve as a redirect to a malicious domain (`orange.uk.com`). This technique is often used in phishing or malware distribution.

Recommendations

- Block Suspicious Domains and Emails:

- Block the email addresses and domains found in the embedded link (e.g., bluefineq.uk.com, arsvis.uk.com, orange.uk.com) across your organization’s email systems to prevent further phishing attempts.

- Investigate the Icon.png Further:

- Conduct a detailed scan of the icon.png file using advanced malware detection tools to identify any hidden payloads.

- User Education on Phishing:

- Raise awareness among users about the dangers of seemingly legitimate emails from system administrators, especially when they include hidden links, attachments, or suspicious HTML code.

- Monitor Email Traffic:

- Continuously monitor incoming emails for signs of repeated phishing attempts or suspicious activity, particularly those involving similar domains or email addresses.

Conclusion

The email initially appeared to be a legitimate delivery failure notification from Google's Mail Delivery Subsystem. However, further investigation revealed that the attached image icon.png contained malicious HTML code that linked to multiple suspicious email addresses and potentially dangerous domains. While no immediate damage was detected, this incident highlights the importance of reviewing even seemingly legitimate emails for hidden threats.

Immediate actions should be taken to block the malicious email addresses and domains, and further analysis of the icon.png file is warranted to ensure no additional security risks are present. Continued vigilance is recommended to prevent future phishing attacks.

Mayssa Rzouga

Networking student ||cyber security Enthusiast

1 个月

Phishing tactics are getting clever! Thanks for sharing ??This is a great reminder that even the simplest attachments can be dangerous. We need to be extra cautious!

要查看或添加评论,请登录

oussama ben hadj dahman的更多文章

  • I-S00N Leak Enigma

    I-S00N Leak Enigma

    On February 17, 2024, a startling revelation shook the cybersecurity community worldwide when a new repository emerged…

  • Unveiling the Emerging Cyber Threat: The Trisec Outlaw Group

    Unveiling the Emerging Cyber Threat: The Trisec Outlaw Group

    In the dynamic landscape of cybersecurity, the emergence of new threat actors presents formidable challenges to…

    4 条评论
  • What is Ransomware? How does it work?

    What is Ransomware? How does it work?

    Ransomware is malware designed to deny a user or organization access to files on their computer. By encrypting these…

  • Reverse Shell Theory for beginners

    Reverse Shell Theory for beginners

    A reverse shell is a shell session established on a connection initiated from a remote machine, not from the attacker’s…

社区洞察

其他会员也浏览了