Hello guys, Hope everyone is good.
Before entering into malicious email & header analysis, I would like to tell why SOC analyst needs to know about email analysis.
Why?
Email is a medium where many peoples used to send information to another individual or group of individuals. The attacker using this medium as a weapon to exploit victims by using different strategies.
SOC Analysts are working to find the suspicious things happening on customer or own(if the company is product-based) network environment by analyzing the logs collected from different log source using multiple tools.
As I mentioned log analysis, the analyst will work also on exchange logs. eg: by analyzing the exchange log, the analyst can found that one of the users is receiving email from a blacklisted domain or return path is different. The analyst will report (alert user not to do any action with email) and should ask for the original email to perform further investigation, from here analyst should know what to do further. Kindly follow the below roadmap for your email analysis.
Roadmap for Suspicious email Analysis
Email Header Analysis
Extract the email headers from an email received from the customer by navigating file — → properties on outlook.
How to know whether the email is spoofed or not
Check the email From and Friendly From on email header. you can find who is the actual email sender and where the email will return if you replay.
Authentication Checks (SPF, DKIM & DMARC) & why to check?
If the Sender Policy Framework(SPF) & Domain Keys Identified Mail(DKIM) is not properly set for the email domain which should be dropped/quarantined. The DMARC is a combination of both SPF & DKIM, if anyone of ingredient is not set properly then the email will be dropped/quarantined based on the DMARC Policy which has been configured by sender server configuration.
If any of the property is not set properly, then also the email is delivered to end-user there is a misconfiguration on the recipient mail server side.
Embedded link & email attachment analysis
Use sandbox environment or use VM environment to check if any process initiating at the background (using task manager) after clicking/downloading the attachments.
If User clicked/downloaded email attachments or links
Take necessary containment steps, by blocking the IOC’s if any reverse communications seen over the network. Then perform the eradication steps by removing the payloads & other stuff before connecting to the internet and reset user mail box passwords.
Reports
Finally, Write the report which should clearly state how investigation performed and the steps taken to stop & eradiate the malicious code.
