EMAIL ANALYSIS

8 min readAug 7, 2023

Over the past 2 months, I have dedicated my time to understanding emails to better identify phishing emails and infrastructure. We have all had to deal with emails one way or another. It’s an integral part of adulting. We use emails for official communications either with a vendor’s support team, organisation internal communications, to apply for your dream job etc.

A report by Kaspersky revealed that in Africa in 2022, 8.7% of individuals and corporate users were affected by phishing. With South Africa leading by 9.7%, followed by Kenya at 8.4% and Nigeria at 7%. The most common technique observed to be used was the mimicking of the original websites to establish trust with the victims and lure them into interacting with the page and sharing their credentials with delivery services, messengers and cryptocurrency platforms being the most frequently targeted.

“Within financial phishing, the most targeted categories were online stores and online financial services. In South Africa, 15.4% were through websites of fake payment systems, 68.4% through fake online stores and 16.2% through fake online bank portals. While in Kenya, 22.5% were through websites of fake payment systems, 54.9% through fake online stores and 22.6% through fake online bank portals. And in Nigeria, 31.1% were through websites of fake payment systems, 51.2% through fake online stores and 17.8% through fake online bank portals.” ~ Kaspersky.

The Liquid C2 Cyber Security Report 2022 highlighted that email attacks that include phishing and spam have increased to 74% compared to 67% in the previous year. The above reports clearly tell us that there is need to pay a bit more attention to email attacks.

In this article we will look at:

Email structure, how it works and the role of each email protocol
Email Security
Human Adversarial Behavior
Identify phishing infrastructure using tools such as shodan and censys.

EMAIL STRUCTURE

There are 3 email protocols that are responsible for the sending, receiving and retrieval of emails between a client and a mail server. Namely: SMTP, IMAP, POP3

A. SMTP (Simple Mail Transfer Protocol)

Commonly known to use either port 25, 587 (secure) or 465
Responsible for the sending and receiving of emails between email servers over TCP/IP network.
Executes SMTP commands to identify the sender and recipient email addresses along with the message and attachments if any.

B. IMAP (Internet Messaging Access Protocol)

Used for retrieving emails as requested by the user and caches them on the device.
Commonly known to use port 143 and 993 (secure)

C. POP3 (Post Office Protocol)

Used by email clients to retrieve emails offline from an email server
Here, the client and the intended mail server establish a connection, the email client downloads available emails and their present attachments, saves them on the user device and the mail server proceeds to delete the emails (default behavior).
Commonly known to use port 110 and 995 (secure)

For a graphical representation of how the email protocol works, reference https://www.geeksforgeeks.org/email-protocols/

EMAIL SECURITY

Now that we know how emails work and the function of each protocol during the sending, receiving and retrieval of emails, we will go ahead to look at email security. The question we will be asking ourselves is apart from using secure ports such as 587, 993 etc., what other controls and measures can we put in place to secure email-based communication while preserving the confidentiality, integrity and availability of an organisation’s emails?

Apart from implementing and properly configuring email security solutions such as email gateways, it is important for an organization to establish email security policies to govern user interactions with company emails. The policies can include consequences that your employees may face in the case of privacy violation such as sharing sensitive data with unauthorised third-parties.

Example of email security policies include:

Use of Multi-factor Authentication
Use of strong passwords
Regular software updates
Email encryption (both in transit and at rest)
Integration of email security solutions with threat intelligence feeds/data to assist in the identification of malicious email attachments
User awareness training
Closing of unnecessary ports open on the mail server
Data protection policies to help prevent data leakage (intentional or unintentional)

Before purchasing an email security solution, it is important to factor in the threat intelligence feed/solution that the vendor has integrated and how often it is updated. This will help you determine how fast the tool can detect new and recent malware, attacker tactics etc. The solution can be configured to automatically block or quarantine suspected emails.

IMPLEMENTING SPF, DKIM AND DMARC

We cannot talk about email security and not mention the 3 email authentication methods that are implemented in an effort to prevent phishing and spamming.

SPF, DMARC and DKIM records are stored in the DNS TXT public records of a domain.

A. SENDER POLICY FRAMEWORK (SPF)

Its records contain a list of IP addresses in a domain allowed to send emails. When a domain mail server receives an email, it compares the sender’s IP address against its records before delivering the email to the designated recipient.

B. DOMAINKEYS IDENTIFIED MAIL (DKIM)

Uses cryptography “digital signature” to verify the validity of an email. Before an email is sent, the mail server attaches a unique DKIM signature, one for the header and the other for the message body . The recipient mail server checks the sender's public DKIM key in its DNS TXT records. The public key is then used to decrypt the unique DKIM signature. If they match, the email is delivered to the receiver.

C. DOMAIN-BASED MESSAGE AUTHENTICATION REPORTING AND CONFORMANCE (DMARC)

Instructs the mail server the action to take after the verification of the SPF and DKIM record.

Based on its configuration, the policy can instruct the mail server to quarantine emails with “SPF=fail” and “DKIM=fail”, reject or deliver to recipient. Because of this, it is important to ensure proper configuration to prevent the passage of spams, phishing and malicious emails in general.

DMARC policies are stored in the DMARC records.

Apart from taking action on emails received, the records can also email reports to domain admins to give them view of quarantined emails, successful and failed based on set timelines.

HUMAN ADVERSARIAL BEHAVIOR

The existing user awareness training procedures and studies has mostly focused on end-user behavior leading to the growth of unrealistic protective measures e.g., “do not click on attached links in emails”, to the discovery of components that impact end-user reaction to phishing mails e.g., emotions, urgency, trust etc. Also, adversaries have been observed to employ sophisticated phishing attacks against organisations and traditional email security solutions fail to detect; since they mostly rely on an email’s technical characteristics that can be manipulated to evade detection as observed over the last couple of years.

A study by Frontiers in Psychology on, “Creative Persuasions: A study on Adversarial Behaviors and Strategies in Phishing attacks” looked into the different role incentives, creativity and adversarial strategies have on an attack’s success. They determined that attackers with higher creativity were more capable of adapting and changing their phishing emails to evade detection but it did not play a role in determining their success.

They were also able to determine the MOST successful phishing strategies that will most likely warrant an end user response include use of notifications/reminders, use of authoritative tone, impersonating a friend, expressing shared interests and communicating failure.

In the first quarter of 2022, Kenya was ranked as the most targeted country in Africa with the highest phishing attacks recorded at 5,098,534 Million which translates to a 438% growth. This raises the need to advance phishing trainings in order to empower and enable the public with the information required to not only detect phishing emails but also sophisticated attacks.

The security community should focus on understanding human adversarial behavior's and their strategies in order to determine how deception and different phishing strategies manifest in phishing emails and in turn build stricter policies and solutions that are well versed with the psychology of human behavior.

THREAT INTELLIGENCE: PHISHING LANDING PAGES USING SHODAN AND CENSYS

When performing passive reconnaissance, attackers are known to leverage tools such as shodan and censys to gather more information on their victim’s public infrastructure. https://www.kaspersky.com/blog/shodan-censys/11430/. Similarly, you can use the tools to hunt for adversary infrastructure.

I decided to hunt for phishing sites that target Microsoft and Google. I chose Microsoft and Google because threat actors have been observed to commonly abuse their infrastructure. According to researchers at Vade, phishing attacks abusing the Microsoft brand increased 266% in the first quarter of 2022 compared to 2021.

On Shodan, we will use the search query below to identify pages that include the words "Microsoft" and "Login" in their http title, return a 200 status code and have port 80 and 443 open.

http.title:Microsoft http.title:Login port:80,443 “200 OK”

Key words to help you in the identification of Microsoft phishing landing pages:

“Login” or “Log in” instead of “Sign in”
“Microsoft” in the Page title

From the search, I was able to identify the IP 24.199[.]122[.]49 that included attributes such as inclusion of “Microsoft” on the page title and its SSL Certificate issued by cpanel.

You can barely tell the difference between two. Looking at the source code of our phishing site, I found tags used that from my research, security researchers use to identify phishing kit infrastructure.