How to scan email headers for phishing and malicious content

Introduction

Phishing emails are one of the most common attack vectors used by cybercriminals. They can be used to deliver a malicious payload or steal user credentials from their target.

Spearphishing emails are designed to be more specifically targeted and more believable to their intended victims. By crafting a pretext that is extremely personal to their target, a phisher increases their probability of success. Spearphishing attacks can be extremely effective, and 65% of cybercrime groups use them as their primary infection vector when attacking an organization.

However, a phishing email needs to be plausible to be believable. If the email looks phony, then no one will click the malicious link or download and open the attachment.

Part of making a phishing email is creating the right tone for the pretext. When masquerading as a well-known institution, like PayPal or Apple, it is important to get the tone of voice and stylistic details correct.

The other part of a successful spearphishing attack is making the email look like it came from a trusted person. This is where spoofed email headers come in.

Sponsorships Available

Sponsorships Available

Sponsorships Available

Inside email headers

When you look at an email in Outlook, Gmail, or the email client of your choice, you probably only see a fraction of the data that the email contains.  [CLICK IMAGES TO ENLARGE]

In Gmail, most emails look similar to the screenshot shown above. It contains the subject line, date, sending address and message body.

By clicking on the down arrow next to the word “to,” you can see additional details about how the message was sent.

Looking at this, the lack of an email address in the to: field is suspicious, since it probably indicates a mass-mailer. However, this is not all of the information available. In Gmail, clicking the More menu (three dots) (Read more...)