Cast a Net: Investigating Phishing in a Sea of Scams

Sailing through the waves of email communication may seem easy at first glance. Over the years, multiple companies like Google and Microsoft (Outlook) have meticulously built systems to protect us from unwanted spam and suspicious emails. I could stop writing here and rest comfortably, knowing that the big tech companies will take care of my mailbox... However, the malicious activity is on the rise, and the threat actors don't stop trying to break through these controls and send emails containing neatly packed malicious surprises. Sometimes they do manage to get through and reach planned destinations, ready to lure us toward infected URLs or files. And, believe you me, what they say about one bad (ph)ish spoiling the whole barrel is utterly true.

While working on the phishing-defense labs by LetsDefend, I closely studied all the techniques and tools mentioned there that are currently used in cybersecurity. Below, I'm sharing with you the results of my research and learning. Feel free to point out any inconsistencies if you notice it. I'm constantly learning and striving to get better! My mailbox is always open for polite conversations.

IMPORTANT: In my post, I plan to focus solely on technical aspects and specific tools used to assess a phishing email. I will omit obvious steps such as checking for grammar mistakes, font or language inconsistencies, or the general aesthetics of the email. I also plan to write more about phishing incident alerts in a separate post.

EMAIL HEADER ANALYSIS

A good starting point for our analysis is the email header. It's a section of code at the beginning of an email that contains metadata of the message. The most commonly recognizable sections are From, To, Subject, and Date. In addition to these, there are also:

Received: this part of the header reveals the steps of the email delivery route before it reached the current mailbox. It often contains information about SMTP.

Message-ID: A unique set of characters for every email. It’s generated automatically to prevent duplicate delivery.

Multipurpose Internet Mail Extension (MIME): An Internet standard that allows the addition of media attachments to an email.

Reply-To: Indicates the domain address where our responses are directed.

Content-Type: Reveals the format of email body (e.g., plain text, HTML).

Authentication-Results: Shows the results of authentication checks. It often contains rich information and can tell us a lot about the legitimacy of the email. Examples of authentication protocols include SPF, DKIM, and DMARC.

Return-Path: Sometimes an email bounces off your mailbox and is sent back to another address. The receiving address for bounced messages is indicated in the Return-Path section.

There are two approaches to examining email data: static and dynamic. We'll have a look at both, while I'll list the crucial points to check during the analysis of a potentially phishing email.

STATIC ANALYSIS

During the static analysis, I examine the email’s header and content without executing anything.

• I compare the ‘From’ and ‘Return-Path’ / ‘Reply-To’ fields. If these don’t match, it’s a red flag. Typically, we should be able to reply directly to the sender - not to the new, unknown address.

• I remember to check the sending SMTP server. And to do that, I look at the Received header section. The logs will show if the email was accepted and hints steps of that process.

• Investigation of the domain age. In most phishing attacks, attackers register a new domain and use it for a short time. We can use tools like who.is to find detailed information about domain names. If a malicious actor is using an address from a well-known service like Google, this check won’t reveal much. However, they often use newly registered domains and a brand-new domain is a strong indicator of phishing.

• Hover over links/buttons without clicking. Make sure the displayed URL matches the actual destination. If they differ, that’s suspicious.

• Scan URLs using VirusTotal. It helps check whether a domain is flagged as malicious. Keep in mind: if the domain is new and not yet reported, it may appear clean. Moreover, if an attacker checks their own domain in VirusTotal before launching the attack, it might still appear safe at the time of investigation.

• Use Cisco Talos Intelligence to check IP reputation. Look up the sender’s IP address. You can also use VirusTotal and AbuseIPDB to assess the risk.

DYNAMIC ANALYSIS

Now, we can swim right into action! Dynamic email analysis focuses on how the email behaves and whether attached files are malicious.

• Use a sandbox to safely test suspicious domains or files. Sandboxes run files in a controlled environment and provide reports on their behavior. Some common tools include:

  • Cuckoo Sandbox

  • Any.Run

  • Windows Sandbox

  • VMRay

  • Joe Sandbox

  • Hybrid Analysis (Falcon Sandbox)

As you can see in the photo, I’ve modified the URL adding [.] to secure it in case of a miss-click.

• Be patient — some malware has a time delay. Malicious payloads may remain inactive for a while to evade detection. Don’t assume a file is clean just because it doesn’t act immediately.

• Malicious emails don't always contain links or attachments. Sometimes the malware is embedded in an image to evade scanners. Never save such files to your main machine—always use a sandbox. While some platforms auto-scan attachments, detecting files hidden inside images often requires downloading and analyzing them manually. Keep your sandbox ready!

CASTING OFF

The sea of phishing attacks is vast, but with the right tools, sharp instincts, and a healthy dose of caution, we can navigate it safely. Stay alert, stay curious, and never stop casting your net — because in cybersecurity, even the smallest catch can make the biggest difference.