Phishing Email Investigation

Description

To further my phishing identification skills, I decided to analyze several emails that seem highly suspcious and are most likely phishing attempts. These are all emails I received in my email inbox. To analyze each email at a quick glance, I examined formatting and information when you first open up the email. For deeper analysis, I examined email headers.

The first set of emails have a lot of similarities, whereas the last spam email was rather advanced and unique. For each email, I describe the telltale signs of phishing and walk through their suspicious qualities.

Notes:

[1] As a way to exclude sensitive details, I have chosen to use ‘organization.com’ in place of the true organization within the Return Path addresses, and ‘list’ in place of internal mailing lists. I can ensure that the true organization domain is legitimate and a trustworthy source.

[2] I exclude full email header details, and include relevant header details for each analysis.

Email #1

email-1 The story: The email recipient has been chosen to receive 5 million euros from a lottery winner. To receive the money, they should reply to the given email.

Relevant Email Header details:

smtp.mailfrom=aeeopyr@tnebnet.org

Reply-To: “richardwahlrichar@gmail.com”

Received-SPF: pass (google.com: domain of list+bncbc745kxmuqebbmoettbqmgqem277jqq@organization.com designates X.X.X.X as permitted sender)

Signs:

At a first glance, this email is incredibly suspicious due to how it is formatted. The HTML for the message is still displayed.

This email promises 5 million euros. Not only is the amount of money being offered too good to be true, it is highly unlikely that a lottery winner would randomly donate such a large sum to strangers via email.

The email starts off with ‘Hello,’ because the attacker does not know the email recipient’s name or personal details. It refers to the email recipient being selected as a winner, but it does not include any information that would be able to identify the email recipient at all. From further inspection of sender details, it also looks like this email was sent out to multiple individuals. This goes to show that the email recipient was not the only one selected; this was sent out to multiple people to see who would take the bait.

The email contains a link to a YouTube video, which the attacker encourages you to click in order to ‘verify’ their identity. While the link appears legitimate, this is a common social engineering tactic used to create a false sense of credibility. The goal of including it is to make you want to believe their story (which is bogus).

The attacker’s goal is to get you to reply with the ‘donation code.’ This is most likely to open the door to further manipulation or extortion.

There is a mismatch between the ‘From’ and ‘Reply-To’ addresses. The ‘From’ address, aeeopyr@tnebnet.org, uses a custom domain (tnebnet.org) that is not associated with any known organization or with Richard Wahl himself. The ‘Reply-To’ address of ‘richardwahlrichar@gmail.com’ is very generic, and could easily be spoofed. It is highly suspicious that these two addresses do not match; legitimate communications typically use consistent and verifiable sender addresses.

Furthermore, the mismatch between the ‘Return Path’ and the ‘Reply-To’ address raises further suspicion about the email’s authenticity. The email’s ‘Return Path’ is set to list+bncbc745kxmuqebbmoettbqmgqem277jqq@organization.com. While the domain organization.com belongs to a legitimate organization [1], the long string after the plus sign appears to be an autogenerated tag, likely used to spoof or forge an address associated with that organization.

Email #2: Foreign Compensation Notification

email-2 The story: The email recipient has been chosen to receive 2.4 million USD from the British Compensation Commision and United Nations.

Relevant Email Header details:

smtp.mailfrom=test@property24.com

Received-SPF: pass (google.com: domain of list+bncbdf73y7evymbbhmrw7bamgqesym3xyy@organization.com designates X.X.X.X as permitted sender)

X-Mailer: Microsoft Outlook Express 6.00.2600.0000

Signs:

Like Email #1, this message offers a deal that seems too good to be true. In an unusual twist, the recipient is told they’ve been “selected” to receive $2.4 million from the British Compensation Commission. However, there’s no logical explanation for why the UK would suddenly grant such a large sum without any prior context. Furthermore, a credible organization like the United Nations would not typically use a Gmail address for official communication. These inconsistencies raise multiple red flags.

The email opens with “Dear Beneficiary,” a vague and impersonal greeting that could apply to anyone. It’s evident that the sender has no prior knowledge of the recipient, as they later request specific personal information in the email. A closer look at the email header reveals that it was sent to multiple recipients simultaneously, further confirming that this is a mass email. The generic greeting and broad distribution suggest the sender is casting a wide net, hoping someone will take the bait and share their personal details.

The email claims that the compensation was approved by the British Compensation Commission, the United Nations, and U.S. representatives in London. The use of these legitimate organizations is intended to create a false sense of credibility. By referencing well-known and trusted entities, the sender attempts to persuade the recipient that the offer is official and trustworthy—when in reality, it’s a tactic to lend legitimacy to a fraudulent message.

The sender asks in the email for the email recipient to provide personal details such as full name, contact address, and direct phone number. For an offer involving such a large sum of money, it’s highly suspicious that the sender lacks even the most basic details about the supposed beneficiary. This strongly suggests that the sender has no prior knowledge of the recipient and is simply attempting to collect personal information for fraudulent purposes to exploit individuals later.

The sender imposes a 5-day deadline to respond, creating a false sense of urgency. This is a common tactic in phishing scams, designed to pressure the recipient into acting quickly without thinking critically. By making the offer seem time-sensitive, the scammer hopes to increase the chances of a hasty reply and the surrender of personal information.

The email appears to come from a sender named Renee Freeman, using the address test@property24.com. However, the domain property24.com is unrelated to either the United Nations or the British Compensation Commission—organizations the sender claims to represent. This discrepancy raises immediate suspicion, as official correspondence from such entities would typically come from a verified, matching domain.

Additionally, the Reply-To address is listed as williamsbyran392@gmail.com, a generic Gmail account that lacks credibility and could easily be spoofed. This is another red flag, as legitimate organizations do not conduct sensitive communication through free, unverified email services.

Another suspicious detail is the mismatch between ‘Return Path’ and ‘Reply-To’ address, which lists list+bncbdf73y7evymbbhmrw7bamgqesym3xyy@organization.com as the Return Path. Similar to Email #1, the long string seems like an autogenerated tag to forge association with a legitimate organization [1].

A look at the email header reveals that the message was drafted and sent using Microsoft Outlook Express, as indicated in the X-Mailer details. This is a red flag, as Outlook Express is an outdated and obsolete email client that is no longer supported by Microsoft. Its use suggests that the sender may be relying on older, less secure software to bypass modern email security filters. Since outdated mail clients can appear harmless or slip past automated protections, they are sometimes used in phishing attempts to avoid detection.

Email #3: Investment Partnership

email-3 The story: The email recipient is asked to liquidate 20 million dollars in bitcoin value. If they do so, they will get up to 30% of the total sum in cash, and will be able to invest 70% of the sum under the sender’s supervision. There are no upfront fees; only the email recipient’s cooperation is being requested.

Relevant Email Header details:

smtp.mailfrom=test@protagonbiochem.com

Received-SPF: pass (google.com: domain of list+bncbdjo76gt3ahbb4nyrhbqmgqehrhgt2q@organization.com designates X.X.X.X as permitted sender)

spf=none (google.com: test@protagonbiochem.com does not designate permitted sender hosts)

X-Mailer: Microsoft Outlook Express 6.00.2800.1081

Signs:

As with Emails #1 and #2, the offer presented is simply too good to be true. According to the message, the recipient would receive $6 million in Bitcoin, with the opportunity to invest the remaining $14 million—all supposedly gifted without any strings attached. This raises a critical question: What benefit does the sender have in this arrangement? 100% of the money would be given away to the email recipient. Legitimate deals are forged to benefit both parties; the fact that only one party would benefit from this arrangement does not pose logical sense. This imbalance reinforces the suspicion that the email is a scam.

Once again, the sender begins with a generic greeting, simply saying “Hello,” without any personalized information to identify the recipient. Although the email claims that the recipient is uniquely qualified to manage the funds, it’s clear from the email header that this message was sent to a broad mailing list. The recipient is not the sole target—many others received the same email, which undermines the legitimacy of the claim.

The sender fabricates a story as a pretext, claiming that funds have been moved out of Gaza to a Swiss financial group and require management. However, the email provides no concrete details about the Swiss company involved or any verifiable connection to a political network in Gaza. This vague narrative is likely designed to sound plausible, however there is no credibility behind these entities.

From: test@protagonbiochem.com

The email claims to be associated with a political organization in Gaza, however is sent from an email address with the domain ‘protagonbiochem.com.’ This domain does not relate to any political group, making it seem doubtful whether this sender is who they say they are. Furthermore, there is no SPF for this domain. Legititate organizations tend to use a SPF record to authenticate their emails and prevent spoofing. The absence of a SPF record is another red flag indicating the email is likely fraudulent.

Reply-To: johncollins19992006@lawyer.com

The Reply-To address differs noticeably from the sender’s address. Additionally, it uses the custom domain of lawyer.com which is not widely recognized as a trustworthy or official organization. The inconsistency between the sender and reply-to addresses raises further suspicion, as legitimate emails typically maintain consistent contact information.

Return Path: list+bncbdjo76gt3ahbb4nyrhbqmgqehrhgt2q@organization.com

Similar to Emails #1 and #2, the Return Path includes a seemingly autogenerated tag to forge association with a legitimate organization.

Similar to Email #2, this message was drafted and sent using Microsoft Outlook Express. It is likely the sender is using an outdated email client to avoid detection and bypass email security filters.

Email #4: Google Account

email-4

The story: The email recipient’s Google Account is being deleted. To avoid deletion, the email recipient must proceed to the given link.

Apart from Emails #1, #2, and #3, this email is a rather good attempt at phishing in terms of first glance details. The formatting of the email resembles that of a typical Google email sent out regarding account details. Furthermore, the email specifically references the email recipient’s account, making it more believable that this is a true concern (I’ve redacted the specific email recipient address from the given image, however I can confirm it is specific to the email recipient). However, there are signs that this is a phishing attack.

Signs:

The sender prompts an immediate sense of urgency to click on the given link, or the email recipient’s account will be permanently deleted. The prompt instills a sense of panic, and purposely attempts to get the email recipient to click the link without critically thinking beforehand. However, if the email recipient takes a breath, the unreasonableness of the email becomes clear. Why would the user account suddenly be deleted, without prior notification? Generally, when accounts are deleted, there is a timeframe where the account can be reactivated before permanent deletion. These details lead one to believe that this is a fake attempt to get the email recipient to act without thinking.

When further examining the given links, they are highly suspicious. One can hover over the links, and see that they lead to the website of ‘google.net-login.com.’ The domain of ‘net-login.com’ is highly suspicious, and does not seem to be affiliated with Google. It is likely that clicking on the link would lead the email recipient to a malicious, untrustworthy website that could potentially steal their information.

In order to further determine the maliciousness of this link, I created a Windows Virtual Machine on HyperV. Within this sandbox, I was able to isolate the attack and investigate what would happen were a user to click on it. Forunately (or unforunately) for me, when I proceeded to click on the link within the VM, it led to nothing. I examined network metrics alongside Task Manager within the machine as I clicked on the link, however there were no signficant differences. No attachments were downloaded. It could be that the malicious site had already been taken care of. However, it was a great learning process to be able to set up a VM and investigate within a sandbox.

sandbox-4

When inspecting the email header, there are no specific details. Typically, the ‘Reply-To’ address from an official Google email would end with the ‘google.com’ domain. However, the Reply-To address for this email is noreply.17289vdr@google.gmail.net-login.com. Once again, the ‘net-login.com’ domain is highly suspicious, and does not seem to be affiliated with Google.

Given these details, it is clear that this email is a phishing attempt meant to scare the email recipient into acting fast.

Summary of Analysis

Emails #1, #2, and #3 have a lot of similarities. They offer deals that are too good to be true, are extremely generic, and contain mismatches in sender details that should raise the email recipient’s concerns. Email #4 is incredibly advanced, and is harder to spot as a phishing email. However, after close examinination, it is clear that this is a highly dangerous email that should not be acted upon.

Next Steps

Once it has been determined that these are phishing attempts, it is important to understand the impact of the attack. It would be important to investigate:

Once we have determined who the impacted employees are, it would be best to immediately change their usernames and passwords, and consider giving them more training on how to spot phishing. It is also best to continue monitoring systems to determine any other unusual activity.

To keep these emails from reaching end users in the future, a good next step would be to also block the sender address and domains, alongside any attachments or links contained within the email. As always, holding training sessions for end users on the latest social engineering techniques would be helpful in keeping the impact of such an attack low. It would be good to simulate a phishing attack to determine which end users need the most training as well.

What I Learned

From this exercise, I learned to identify the common details of phishing attempts, which include:

I learned how to inspect email headers for SPF, DKIM, and DMARC policies, and closely examine the Return Path of each email. I also learned how to use a sandbox to investigate the contents of an email, and assess its maliciousness. It is important to remember the incident response steps when a phishing attack occurs as well.