Threat Hunting and Detection with Email Logs

Midhun Mohan M G
Agenda
» Why focus on email investigation?
» All you need to know about email systems.
⁻ Email Workflow
⁻ Email Headers
⁻ Email Authentication
⁻ Email Spoofing
» Email Threats - Examples
» Email Investigation

08 March 2021 Email Investigation 2

 Why focus on email investigation?
Email is the No. 1 vector for digital threats

56% of all emails are spam 1 of 412 emails are malicious

ISTR report 2019, Symantec ISTR report 2019, Symantec

92% of malware are delivered by email 48% of malicious attachments are office docs
Breach Investigation report 2018, Verizon ISTR report 2019, Symantec

56% companies consider targeted phishing as 83% of organizations have been victim of
their top security concern spear phishing attacks in the last 1 year
Global Threat Landscape report 2019, CyberArk State of Phish 2019, Proofpoint

32% of data breaches involved phishing Employees in small organizations are more
Data Breach Investigation Report, Verizon likely to be hit by email threats
ISTR report 2019, Symantec

08 March 2021 Email Investigation 3

Why focus on email investigation?
• Most prevalent mode of communication
• Email can easily be forged
• High hack value of corporate email accounts
• Common email abuse:
• Malware delivery
• Credentials phishing
• Financial fraud
• Intellectual property theft
• Data leak

08 March 2021 Email Investigation 4

How Email works on the Internet?

08 March 2021 Email Investigation 5

Email Headers
• An email has two parts – the body (the part where your message is
visible) and the header.
• An email header contains information related to the transmission
process of an email – the metadata.
• Providing information about the sender and recipient.
• Identifying the email route.
• Ensure authenticity of the email.
• It is the primary evidence in the case of Email related crimes.

08 March 2021 Email Investigation 6

Email Headers
RFC 822 Headers
• Received
• From
• To
• Subject
• Date
• Message-ID
• Reply To
• Return-Path
• X-Sender
• X-Originating-IP

08 March 2021 Email Investigation 7

Received Header
• Record of all mail servers along the transit route

Syntax
Received: from sending.mx (IPv4/6) by receiving.mx (IPv4/6) with protocol id; timestamp

08 March 2021 Email Investigation 8

Example of a message header for an email sent from
Alice@sender.com to Bob@gmail.com
Delivered-To: Bob@gmail.com
Received: by 10.56.81.31 with SMTP id e3cs239nzb; Thu, 04 Mar 2021 15:11-0800 (PST)
Return-Path: Alice@sender.com
Received: from mail.sender.com (mail.sender.com [111.111.11.111]) by mx.gmail.com with SMTP id
h19s8t45f32rnb; Thu, 04 Mar 2021 15:11:47 -0800 (PST)
Message-ID: 20050329231145.62086.mail@mail.sender.com
Received: from [11.11.111.111] by mail.sender.com via SMTP; Thu, 04 Mar 2021 15:11:45 PST
Date: Thu, 04 Mar 2021 15:11:45 -0800 (PST)
From: Alice
To: Bob
Subject: Hello *Read from bottom to top

08 March 2021 Email Investigation 9

 Received: from mx.gmail.com (198.xx.xx.xx) by mx.mda.gmail.com
(10.xx.xx.xx) with Microsoft SMTP Server (version=TLS1_2,
Email Flow cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.1.1531.3 via
Frontend Transport; Thu, 04 Mar 2021 04:43:32 -0500
MTA MDA
MTA
1 mx.outlook.com Received: from [10.176.32.53] by mx.outlook.com (209.xx.xx.xx) with SMTP
mx.mda.gmail.com
mx.gmail.com 2 3
(209.xx.xx.xx) id xxxxxxxxxxx; Thu, 04 Mar 2021 01:43:30 -0800 (PST) (10.xx.xx.xx)
(198.xx.xx.xx)

SMTP SMTP IMAP

POP
mx.gmail.com
Received: from mx.outlook.com ([209.xx.xx.xx]) MRA
by mx.gmail.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384 id bob@gmail.com
SMTP
MAIL FROM alice@outlook.com xxxxxxxxxxx; 04 Mar 2021 09:43:30 +0000
RCPT TO bob@gmail.com 198.xx.xx.xx
BODY

DNS server3
MUA
alice@outlook.com
2

08 March 2021 Email Investigation 10

 Email Authentication
Email authentication is a technical solution to proving that an
email is not forged.
SPF (Sender Policy Framework) DKIM (Domain Key Identified Mail) DMARC (Domain Based Message
Authentication, Reporting and
Conformance)

▪ SPF record published with DNS records. ▪ Uses public and private keys to ▪ DMARC also requires a DNS record
▪ Allows senders to define which IP cryptographically authenticate emails v=DMARC1; p=none; fo=1; ri=3600;
addresses are allowed to send mail for a rua=mailto:XXXX@rua.agari.com;
▪ Private key of the domain is used to ruf=mailto:XXXX@ruf.agari.com
particular domain. digitally sign every email from a domain
v=spf1 ip4:64.34.187.182 ip4:66.70.82.40
▪ ‘p’ defines the action to be taken by the
ip4:64.27.72.0/24 include:magnetmail.net ~all ▪ Recipient mail server validates DKIM recipient
signature with the domain’s public key p=none (no action / monitoring)
▪ The recipient mail server validates SPF p=quarantine
p=reject
⁻ No sender SPF – SoftFail
⁻ SPF published but no match – Hard Fail

08 March 2021 Email Investigation 11

Authentication-Results: mx.google.com;
dkim=pass header.i=@icontactmail3.com header.s=default header.b=pEW+GRex;
spf=pass (google.com: domain of bounces+805093.40360388.410267@icontactmail3.com designates
207.254.213.231 as permitted sender) smtp.mailfrom=bounces+805093.40360388.410267@icontactmail3.com;
dmarc=fail (p=reject dis=NONE) header.from=gmail.com

Received-SPF: pass (google.com: domain of bounces+805093.40360388.410267@icontactmail3.com designates

207.254.213.231 as permitted sender) client-ip=207.254.213.231;

08 March 2021 Email Investigation 12

Email Spoofing
• Email spoofing is the creation of emails with a forged sender address.
• Email spoofing is possible because Simple Mail Transfer Protocol
(SMTP) does not provide an authentication method.
• Spoof the email header to mislead the recipient about the sender of
the email.
• Email spoofing is a popular tactic used in Phishing and Malicious
campaigns.
• Goal of email spoofing is to get recipients to open, and possibly even
respond to, a solicitation.

08 March 2021 Email Investigation 13

Email Threats

- Spoofed Email
- BEC / Wire Fraud
- Phishing Email
- Malicious Email

08 March 2021 Email Investigation 14

Email Threats
- Spoofed Email
- BEC / Wire Fraud
- Phishing Email
- Malicious Email

08 March 2021 Email Investigation 15

Email Threats

- Spoofed Email
- Phishing is the fraudulent attempt to obtain
- BEC / Wire Fraud sensitive information or data.
- Phishing Email - Phishing attack uses disguised email as a weapon.
- Phishing with Url.
- Malicious Email - Phishing with attachment.
- Vishing vs Smishing

08 March 2021 Email Investigation 16

 Email Threats

- Malicious emails are designed to launch an attack on a

- Spoofed Email users computer.
- BEC / Wire Fraud - Malicious email attachments include code or exploits to
cause your computer to download more malware from
- Phishing Email the internet.
- Malicious Email with Url.
- Malicious Email - Malicious Email with attachment.
- Example: Emotet, njRAT

08 March 2021 Email Investigation 17

Emotet Malware

08 March 2021 Email Investigation 18

Email Investigation
Incident Response Forensics

• Focus is on finding the root cause and • Focus on collecting and preserving
remediation evidence for litigation
• Follows PICERL process • Quick resolution / remediation is not a
1.
2.
Preparation
Identification
vs priority
• Longer duration of cases
3. Containment
4. Eradication
5. Remediation
6. Lessons Learned

08 March 2021 Email Investigation 19

Email Investigation
Who sent Email
IP address
Contextual
the email? address clues

When was Header time Mail server

it sent? and date time stamp

Where was
IP address / Mail server
it sent ISP
Geolocation
domain
Message-ID
from?
Is there
Message Calendar
relevant body
Attachments URL
entries
content?
08 March 2021 Email Investigation 20
 Incident Response life cycle
Preparation Identification Containment Eradication Remediation Lessons Learned
Gateway / cloud email scan Improve logging
Architecture Block email traffic Purge Reset credentials
logs
Contacts Mailbox audit logs Block network traffic Remove backdoors Patch vulnerabilities New security tech required

Logs / SIEM Web traffic logs Isolate network Reimage systems Deploy backup Documentation

Ticketing system Perimeter security logs Isolate hosts Continuity plan

Identity and access logs

08 March 2021 Email Investigation 21

Forensics workflow
Acquisition Analysis Reporting

Collection Identification Documentation

Validation Triaging Presentation

Preservation Interpretation

08 March 2021 Email Investigation 22

OSINT Tools List
• https://mxtoolbox.com/
• https://whois.domaintools.com/
• https://www.ipvoid.com/
• https://www.abuseipdb.com/
• https://www.virustotal.com/
• https://urlscan.io/
• https://visualping.io/
• https://sitereview.bluecoat.com/#/
• https://sitecheck.sucuri.net/
• https://gchq.github.io/CyberChef/
• https://app.any.run/
• https://www.hybrid-analysis.com/
08 March 2021 Email Investigation 23
 Questions

08 March 2021 Email Investigation 24

 Midhun Mohan M G

getmg120@gmail.com

https://www.linkedin.com/in/midhunmg

+91 9995393431