A phishing email was reported by a student through the university’s phishing reporting channel. The email appeared to impersonate university IT and prompted the user to "verify account credentials." I conducted a static email analysis to evaluate the threat without triggering any content or executing any code.

Below is a breakdown of the analysis process and the tools used to investigate the email safely and effectively.

📨 Header Analysis

The first step was to extract and review the email headers to validate the sender’s legitimacy.

Key observations:

From address: it-support@lsus-helpdesk[.]org
Return-Path mismatch with From
SPF passed
DKIM and DMARC both failed
The domain lsus-helpdesk[.]org was not owned by the university

📌 Tools used:

MxToolbox Header Analyzer
Message Header Analyzer add-in for Outlook

🔗 URL Extraction and Analysis

The email contained a single embedded link labeled “Verify My Account” pointing to:

arduinoCopyEdithttps://login-lsus365[.]webredirectauth[.]xyz

I extracted the link without clicking and submitted it to the following tools:

✅ Results:

Tool	Result
VirusTotal	Detected by 6 engines as phishing
URLScan.io	Rendered a fake Microsoft 365 login page
CheckPhish.ai	Labeled as phishing, flagged visual similarity to Microsoft
WHOIS	Domain registered 48 hours ago, privacy-protected
AbuseIPDB	No current abuse reports, but flagged for future monitoring

🧪 HTML Body Review (Static)

Using CyberChef, I decoded the HTML portion of the email. Findings included:

An invisible iframe loading the phishing site
Base64-encoded redirect script
Email was formatted to look identical to a Microsoft 365 notification

📌 Tools used:

CyberChef
Manual HTML inspection

📂 Attachment Review (If Present)

In this case, no attachment was present. If there had been .doc, .pdf, or .html files, I would have used:

oletools / oleid – macro analysis
pdfid.py – static PDF analysis
strings / exiftool – file metadata review

🧾 Summary of Indicators of Compromise (IOCs)

Type	Value
Malicious URL	`https://login-lsus365[.]webredirectauth[.]xyz`
Domain	`webredirectauth[.]xyz`
Sender	`it-support@lsus-helpdesk[.]org`
DKIM / DMARC	Failed
iframe Src	Hidden redirect to phishing page

🔒 Remediation Steps Taken

Blocked domain and URL at the email gateway and firewall
Queried mail logs to identify other recipients (11 additional users)
Notified all affected users
Submitted phishing domain to Google Safe Browsing and Microsoft Defender Intelligence

🧰 Tools Used

Tool	Purpose
MxToolbox	Header analysis
VirusTotal	URL reputation
URLScan.io	Web rendering and behavior
CheckPhish.ai	Phishing detection
CyberChef	Decoding and static inspection
WHOIS lookup	Domain age and ownership
AbuseIPDB	IP/domain reputation monitoring

✅ Conclusion

The phishing email used visual impersonation, newly registered domains, and evaded basic filters by passing SPF. Static analysis alone was sufficient to confirm its malicious intent and allowed us to block the threat without needing dynamic interaction or sandbox detonation.

This case reinforces the value of proper reporting channels and fast static triage using open-source, reliable tools.

💬 Final Thoughts

This incident was a great reminder that end-user awareness matters—this campaign bypassed email security filters, but a vigilant student triggered our defense. As SOC analysts, we don’t always need heavy automation or dynamic sandboxes to catch a phish.

Sometimes, a bit of static analysis and good intuition is all it takes avoid interacting with the content directly. Always extract URLs and analyze them in safe, sandboxed environment is all it takes.

🧠 Pro Tip: When analyzing suspicious emails,ments like URLScan.io and VirusTotal.

🎣 Static Email Analysis During a Reported Phishing Attempt