search
ngabalaax

Day 14: Phishing Email Investigation – “LIVELO Points Alert”

hashtag
Challenge Description:

You received an email claiming to be from BANCO DO BRADESCO LIVELO, alerting you that your points are about to expire. The email contains detailed headers and a base64-encoded HTML body.

Your task is to perform a forensic analysis of the email to determine its legitimacy, trace its origin, analyze authentication mechanisms, and assess potential threats. This challenge simulates a real-world scenario where organizations must identify phishing emails targeting their users.

https://github.com/ngabalaax/30-day-socarrow-up-right

hashtag
Challenge Objectives:

  1. Trace the Email Path:

    • Identify all email servers (hops) involved in relaying the email.

    • Determine the originating IP address and its geographical location.

  2. Authentication Analysis:

    • Inspect SPF, DKIM, and DMARC headers.

    • Identify any authentication failures or errors.

    • Explain the meaning of temperror, compauth=fail, and other anomalies.

  3. Email Content Analysis:

    • Decode the base64-encoded HTML body of the email.

    • Identify the main message and any hyperlinks or attachments.

    • Highlight suspicious elements such as fake domains, misleading links, or social engineering tactics.

  4. Threat Assessment & Mitigation:

    • Determine if the email is likely a phishing attempt.

    • Suggest immediate actions to mitigate risk (e.g., report, quarantine).

    • Explain why users should be cautious with similar emails.

  5. Optional Bonus Objective:

    • Identify any potential indicators of compromise (IOCs) that could be used for threat intelligence (e.g., sender IP, domains, URLs).

hashtag
Hints for Participants:

  • Use online tools or local scripts to trace the IP addresses in the Received headers.

  • Pay attention to SPF, DKIM, and DMARC results – even minor errors can indicate spoofing.

  • To decode the base64 email body, you can use tools like:

    • base64 --decode (Linux)

    • Python: import base64; print(base64.b64decode(encoded_body).decode())

  • Inspect the HTML carefully; phishing emails often use legitimate-looking logos or brand names but include fake links.

  • Look at the Return-Path, X-Sender-IP, and X-SID-PRA headers for additional clues.

hashtag
Step-by-Step Walkthrough – Phishing Email Investigation

hashtag
Step 1: Review the Email Headers

  1. Open the email in a client that allows you to view full headers.

  2. Look for the Received headers to trace the email’s route.

  3. Identify the originating IP address (usually in the bottom-most Received header).

  4. Optional: Use an IP geolocation tool to determine the sender’s location.

Tips:

  • Check for multiple Received headers; the order is bottom to top.

  • Note any anomalies like localhost or unusual IP addresses.

hashtag
Step 2: Analyze Email Authentication

  1. Locate the SPF, DKIM, and DMARC results in the headers.

    • SPF: pass / fail / temperror

    • DKIM: pass / fail

    • DMARC: pass / fail

  2. Investigate any failures or errors and what they indicate.

  3. Confirm whether the email was likely sent from a legitimate server.

Example Hints:

  • compauth=fail → Composite authentication failed, likely spoofed.

  • temperror → Temporary issue verifying SPF; might indicate misconfigured domain.

hashtag
Step 3: Decode the Email Body

  1. Locate the base64-encoded part in the email body (Content-Transfer-Encoding: base64).

  2. Decode the base64 content:

    • Linux: base64 --decode encoded_file > decoded.html

hashtag
Step 4: Analyze the Email Content

  1. Look for branding and logos; check if they match official sources.

  2. Inspect links carefully:

    • Hover over them to see the real URL.

    • Check for typos, extra characters, or unrelated domains.

  3. Identify any calls to action such as “Click to redeem points” or “Update your account.”

  4. Note suspicious attachments or scripts embedded in the HTML.

hashtag
Step 5: Assess Phishing Risk

  1. Based on headers and content, determine:

    • Is this a legitimate email or a phishing attempt?

    • Which elements make it suspicious?

  2. Decide appropriate mitigation steps:

    • Report to IT/security team.

    • Quarantine email.

    • Avoid clicking links or downloading attachments.

hashtag
Step 6: Optional – Extract IOCs (Indicators of Compromise)

  1. Collect:

    • Sender IPs

    • Sender domain and reply-to address

    • URLs in email body

    • Hashes of attachments (if any)

  2. Add these to your threat intelligence database for future reference.

hashtag
Step 7: Document Your Findings

  1. Create a summary report including:

    • Email origin and path

    • Authentication results

    • Suspicious content analysis

    • Phishing likelihood and mitigation steps

    • Optional: IOCs

Tip: Clear, organized reporting is critical in real-world investigations.

PreviousPhishing & Email AnalysisNextDay 15 — Advanced Phishing Investigation

Last updated