📧

Comprehensive Email Analysis for Cybersecurity

Sep 3, 2024

Email Analysis for Cybersecurity

Introduction

  • Email is a common method for attackers to gain initial access.
  • Focus on phishing techniques.
  • The video will guide through a lab exercise from Blue Team Cyber Range called "The Planet's Prestige."

Getting Started

  • Register/log in to Blue Team Labs.
  • Navigate to challenges and search for "planet" to find "The Planet's Prestige."

Scenario Overview

  • Planet Canda: Facing riots due to abductions of citizens.
  • President's daughter has gone missing.
  • An email is received by an Army Major on Earth regarding the situation.

Email Download and Analysis

Downloading the Email

  • Download the email file and use password: BT (lowercase).
  • Recommended tools for analysis:
    • Notepad++ (text editor)
    • HxD (hex editor)
    • 7-Zip (file extraction)

Email Analysis Steps

  1. Open the Email in Notepad++

    • Start from the top of the email.

  2. Key Fields:

    • Delivered-To: Recipient’s email address.
    • Received: Email servers involved in delivery.
    • X-Headers: Optional headers added by email servers.
    • ARC Headers: Used for verification purposes.
    • Return-Path: Address for failed deliverability notifications.
    • Authentication Results: Check SPF, DKIM, and DMARC statuses.
      • SPF failure indicates suspicion.
    • From and Reply-To Fields: Discrepancies can indicate phishing attempts.
    • Content Type: Indicates how the email content is rendered.
    • Message ID: Unique identifier for the email.
    • Date: Can be spoofed, but useful for tracking.

  3. Decoding Base64 Content:

    • Use CyberChef to decode Base64 content from the email's body.
    • Revealed message: Demand for 1 billion candies in exchange for abducted citizens.

  4. Analyzing Email Attachments:

    • Check attachment type indicated in the email.
    • First check file signatures to identify actual file types.
    • Puzzle file: Initially labeled as PDF but was a ZIP file containing other files.
    • File Extensions: Rename files appropriately based on their signatures and content.

  5. File Contents:

    • Use tools like HxD for file analysis, checking first bytes for file signatures.
    • Found additional files including:
      • JPEG file: "daughter's Crown"
      • PDF file: "good job major"
      • Excel file: "money.xlsx"

Findings from Analysis

  • The actor disguised the attachment as a PDF but it was a ZIP file.
  • The Excel file contained hidden Base64 content leading to a coded message regarding an attack.

Important Fields to Focus on

  • Received: Check IP/domain reputation.
  • Return Path: Important for identifying sender.
  • Authentication Results: Look into SPF, DKIM, DMARC statuses.
  • From/Reply-To: Inspect for discrepancies.
  • Content Type: Know how content is being rendered.
  • Message ID: Use for tracking across systems.

Course Information

  • The speaker offers a course covering email analysis in detail.
  • Waitlist available for interested learners.

Conclusion

  • Mastering email analysis is crucial for SOC analysts.
  • Emphasize continuous learning and skill enhancement.
  • Video encourages sharing and subscribing for more content.

Full transcript