Day 15 — Advanced Phishing Investigation

IMPORTANT: Perform all phishing analysis inside a Virtual Machine (VM). Never open suspicious emails on your main OS.

Today you will analyze a real-world phishing email header, focusing on how attackers spoof domains, bypass authentication, and relay messages through legitimate servers.

https://github.com/ngabalaax/30-day-soc/blob/main/day-15.eml

---

📝 Objective

• Understand what abnormal email headers look like

• Detect common phishing traits like spoofing

• Learn to track mail flow through Received-from chains

• Identify SPF / DKIM / DMARC failures

• Recognize signs of compromised sending infrastructure

---

📌 Case Study Email (Phishing Attempt)

Attacker pretends to be Coinbase Support, but actually uses the domain medisept.com.au.

Key suspicious indicators in the header:

1️⃣ Sender Spoofing

From: "support@mail.coinbase.com"
<mssggeauthencti-cbspprt-325937197367@medisept.com.au>

• Display-name says "Coinbase"

• Real sender domain = medisept.com.au 👉 Classic display-name spoofing

---

2️⃣ SPF / DKIM / DMARC Failures

Relevant lines:

spf=none (sender ip is 40.107.215.72)
dkim=none (message not signed)
dmarc=none action=none header.from=medisept.com.au

• SPF = none → Domain does not authorize this sending IP

• DKIM = none → No cryptographic signature

• DMARC = none → The domain does not enforce protection 👉 Attackers love domains with weak/no authentication.

---

3️⃣ Suspicious Routing

Many hops across Microsoft 365 infrastructure:

APC01-SG2-obe.outbound.protection.outlook.com
BN7NAM10FT058.mail.protection.outlook.com
TY0PR0101MB4725.apcprd01.prod.exchangelabs.com

Attackers often send via:

• compromised Microsoft 365 accounts, or

• abused Outlook outbound relays

The presence of multiple Office 365 servers does not mean legitimacy.

---

4️⃣ Encoded and Manipulated Subject Line

=?UTF-8?Q?[A…] Coinfirm_your_info_is_required [Case_ID_153465]

Signs of malicious phishing:

• Words deliberately obfuscated

• Case numbers added to appear official

• “Action required” urgency

---

5️⃣ Return-Path Mismatch

Return-Path: mssggeauthencti-cbspprt-325937197367@medisept.com.au

• Real return path = medisept.com.au

• Not related to Coinbase 👉 Domain mismatch = high-risk phishing

---

6️⃣ MIME Multipart with Boundaries

multipart/mixed; boundary="--_NmP-385f6acdc0e5c863-Part_1"

Phishing emails often:

• Attach HTML files

• Embed malicious scripts

• Include fake login forms mimicking Coinbase Be careful.

---

🔍 Final Threat Assessment

Indicator	Risk Level	Reason
SPF none	High	Email not authorized by domain
DKIM none	High	No signature validation
DMARC none	High	Easy to spoof
Display-name spoof	High	Fake Coinbase sender
Mismatched domain	Critical	medisept.com.au ≠ coinbase.com
Urgent phishing subject	High	Typical social engineering
Multiple Outlook hops	Medium	Signs of compromised mailbox

🔴 Verdict:

Confirmed Phishing Email — Credential Harvesting Attempt

---

🛡️ Day 15 Assignment

Inside your VM ONLY, do the following:

1. Paste the email header into an analyzer:

   • https://mxtoolbox.com/emailheaders.aspx

   • Or your local forensic tools

2. Answer:

   • What domain was spoofed?

   • What authentication failed?

   • What path did the email travel?

   • What is the attacker’s real sender address?

   • Which server injected the malicious email first?

3. Write a 5-line summary of why this is phishing.