Phishing and spam email is one of the most common ways to start social engineering attacks. Nowadays phishing and spam emails are hitting mail servers multiple times every day. Most of email providers are improving their detection service to prevent these emails receive to customer mailbox however still there are some emails that bypass these security checks and reach to our mailboxes. The last defense is client awareness to detect email as spam.
To check either email is phishing emails or not there are multiple checks and procedures that following we are listing top 3 general way to detect malicious email.
Content of email is one of the most important and easiest way to detect email origins. Google, Yahoo, Microsoft and other mail providers are constantly analyzing content of email and look for malicious patterns. But there are always cases that email passes these checks and ended up in not spam mailbox. Client needs to check header and email message to see if it is relevant to him or not. Most of phishing emails contents are irrelevant and you do not feel any connection to it. In this case it is better to look to next steps to investigate more. However some phishing emails are specially customized based on target to trick and fool targets to follow email.
After client felt that content is relevant, the next item is need to look into is email header. Email header are some information that are sent beside the message body for mail servers to process email. These information are quite valuable since it can determine source of email. Most of phishing email are coming from spoofed address. To get mail header:
• Gmail: Click on “Show original”
• Microsoft Outlook: Click on “View message details”
Also it is important to check sender domain spelling. Most of the time attacker register other domain with close name of normal domain to trick clients. Look at following example:
The email looks coming from totally legit domain with reasonable username. However when you are looking into email header you are finding that email is not coming from domain that is mentioning in webmail interface:
When you are comparing the IP address of sender with what is actually it claiming they are two different entities. To check that either IPs is related to domain, you can check by following website:
• Abuse IP database: https://www.abuseipdb.com/
• Who is: https://who.is/
Email Security Flags
It is possible that sender mail server use some security flags to label his send email as legit as possible. There 3 mains flags that are common among mail server and you can with high degree of certainty assure that email is legit or malicious.
1.SPF: This record shows that domain that sender is claiming is actually bind to IP of sender or not. Most of malicious emails do not have this record.
2.DKRM: This record is using to sign email. If this record present it means that emails is signed by sender and no one have not change the content of email.
3.DMARC: It is assurance of both two mentioned steps are passed and if not what procedures receiver mail server need to consider to do.
There is not any need all of these three are present in email header but if they are present, you can make sure it is highly safe to follow email.
In all with security procedures and steps still attackers can misuse email to do social engineering attacks. However if you consider mentioned steps, you may jump over their trap.