Understanding Phishing and Email Header Analysis

What is Phishing?

Phishing emails are a common method used by cybercriminals to gain unauthorized access to sensitive information, steal money, or launch further attacks. To protect against phishing, it's important to be cautious when opening emails, especially if they contain unexpected attachments, ask for personal information, or seem suspicious in any way. Verifying the sender's authenticity and avoiding clicking on links or downloading attachments from untrusted sources is essential in safeguarding against phishing threats.

Above are the general recommendations and best practices to go deeper into the topic lets go further.

Email headers are important when analyzing an email. We will go through some of the fields and there uses in analyzing a phishing email but first lets look were we can find the header in most common email providers i.e. outlook and Gmail.

Viewing Email Headers in Outlook:

Open Outlook: Launch the Outlook application on your computer.

Select the Email: Locate the email for which you want to view the header in your inbox or another folder.

Double-Click the Email: Open the email by double-clicking on it to view its content.

View Message Options:

In Outlook 2010 and later versions: Click on the "File" tab, then select "Properties."

In Outlook 2007: Click on "View" in the email message, then select "Options."

Look for Internet Headers: In the "Properties" or "Options" window, you will find a section called "Internet Headers" or "Message Options." This section contains the email header information.

Copy the Header: To copy the email header information, click inside the "Internet Headers" section, select all the text (usually Ctrl + A), and copy it (Ctrl + C) to your clipboard.

Viewing Email Headers in Gmail:

Open Gmail: Go to the Gmail website (https://mail.google.com) and log in to your account if you're not already logged in.

Select the Email: Locate the email whose header you want to view in your inbox or another Gmail folder.

Open the Email: Click on the email to open it and view its contents.

Access More Options:

In the new Gmail interface: Click on the three vertical dots (More options) located on the top right of the email.

In the classic Gmail interface: Click on the down arrow (More options) next to the "Reply" button.

Choose "Show Original": In the dropdown menu, select "Show original." This opens a new tab or window with the full email header information.

Copy the Header: In the new tab or window displaying the email's original version, you can copy the entire header by selecting all the text (usually Ctrl + A) and copying it (Ctrl + C) to your clipboard.

Decoding the Header

Phishing attacks, with their intricate deceptions, have necessitated the need for vigilance in the realm of email communication. One of the most potent tools against these threats is a thorough analysis of email headers. This guide provides an in-depth overview of critical email header fields, coupled with a sample header, to help unveil potential phishing attempts.

1. Received Paths and IP Tracking:

The "Received" field provides a sequential account of servers an email traversed. Tracing these paths and investigating associated IP addresses can reveal mismatches between the claimed email origin and its actual path.

Example from sample header:

Received: from mail123.fakecompany.com ([192.168.0.123]) by mail.yourcompany.com with ESMTP;

2. From and Reply-To Fields:

The sender's identity is usually in the "From" field, but phishers can spoof this. Cross-verifying with "Reply-To" can help confirm the sender's authenticity.

Sample header snippet:

From: CEO <[email protected]>

Reply-To: [email protected]

3. Return-Path and Bounce Analysis:

"Return-Path" indicates the email address where bounces are directed. It can be manipulated by phishers to mislead spam filters.

Sample:

Return-Path: <[email protected]>

4. Authentication Protocols: SPF, DKIM, and DMARC:

These protocols validate the sender's legitimacy and message integrity. Their presence or absence can give clues about an email's authenticity.

Received-SPF: pass (domain of trustedcompany.com designates 192.168.0.123 as permitted sender)

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=trustedcompany.com;

5. Subject Line Analysis:

Although not a strict header field, subject lines in phishing emails might use urgency or deceitful offers to bait recipients.

Example:

Subject: Urgent Action Required!

6. X-Headers:

Additional details, often starting with "X-", can provide insights about the email's journey and source.

Sample:

X-Mailer: Microsoft Outlook 15.0

X-Originating-IP: [192.168.0.123]

7. URLs and Link Analysis:

Embedded URLs can redirect recipients to malicious sites. Dissecting URLs from headers can highlight suspicious domains or URL patterns.

Example within content (not strictly header):

Click here: https://phishingwebsite.com/login

For making the your life easier here's a list of Header analyzing tools which are free -

MxToolbox Email Header Analyzer https://mxtoolbox.com/EmailHeaders.aspx

Google Postmaster Tools (Gmail) https://postmaster.google.com/

SPF/DKIM/DMARC Record Lookup https://mxtoolbox.com/

Conclusion:

By systematically breaking down an email header, as illustrated with our sample, you can uncover telltale signs of phishing attempts. As email communication remains central in today's digital age, mastering the art of email header analysis becomes indispensable for digital safety. Remember: In the world of cybersecurity, knowledge and caution are your best allies.