This short piece talks about email protection with some lab examples and how analyzing inbound email traffic could be helpful in defending an organization.

Analyzing emails

It is not easy to monitor the flow of inbound email traffic for a medium or large organization on an ongoing basis. Emails pass through several layers of protection gateways, but still, the number of emails landing in user accounts is huge. Suspicious emails can be classified in a number of ways but the most obvious option is severity. Malicious emails can be put in the category of phishing emails that also integrates all the necessary social engineering for it. On top of all the automation available today manual controls are always necessary. A very good approach is to enable users to report suspicious emails to the information security team to get potentially malicious emails analyzed by them and possibly take action in case of incidents.

Investigation

The sender does not look like malicious and would have been blocked anyway if it was, but it must always be verified. Usually it is not the sender’s domain to be blocked because many legitimate email domains are used for that purpose. Well, for instance, we have an attachment here that is best reviewed.

Virustotal and some other scanners show no threats, so let’s open the file in a text editor to check what’s inside.

Ok, so there is a suspicious URL in it which is better to get scanned.

Whois records justify our suspicion that this could be malicious or to be used for malicious purposes by evil actors as it is a newly registered domain.

After all our discoveries, it is better to block the domain completely. The Top Level Domain (TLD) could also be blocked, but for the time being it is enough.

Thanks for reading and as always, any feedback is most welcome.