Day-16: The Gummies Trap — Investigate a Suspicious OTTO Newsletter Email

📜 Challenge Description

Your SOC receives an alert: A user reported an OTTO® Newsletter promoting KetoXplode Gummies, claiming extreme weight-loss results. The user suspects something is wrong because the email “looks too flashy” and includes a shortened link.

As a SOC Analyst, your task is to:

Analyze the email headers
Identify phishing indicators
Extract threat intelligence
Determine risk level
Provide a final assessment: Is this email legitimate, spam, or malicious phishing?

https://github.com/ngabalaax/30-day-soc/blob/main/day-16.eml

📬 Provided Artifact: Email Header Sample

Reply-To: reply_to@firiri.shop
Return-Path: <return@firiri.shop>
From: OTTO Newsletter - H5mgozx8 <otto-newsletter@newsletter.otto.de>
to: youremail@gmail.com

Received-SPF: Pass (sender IP is 80.96.157.111)
ARC-Authentication-Results: i=1; dmarc=fail header.from=newsletter.otto.de
Received: from [80.96.157.111]
X-MS-Exchange-Organization-SCL: 5

https://t.co/eYVtqVunRC   (short URL)

🎯 Objectives

By completing the challenge, you should be able to:

✔️ Identify forged email headers

✔️ Spot red flags in sender domains

✔️ Understand SPF, DKIM & DMARC results

✔️ Recognize malicious URL patterns

✔️ Decide whether to escalate or block

✔️ Write a mini SOC investigation report

🔍 Tasks

Task 1 — Header Analysis

Analyze the From, Reply-To, and Return-Path fields.
Determine if the email is truly from OTTO or spoofed.

Task 2 — Authentication Check

Interpret SPF / DKIM / DMARC results.
Explain what dmarc=fail means.

Task 3 — URL & Domain Analysis

Investigate:
- firiri.shop
- t.co/eYVtqVunRC
- Source IP: 80.96.157.111
Determine if they are trusted or suspicious.

Task 4 — Content Analysis

Identify red flags in the email body:

Overuse of emojis
Unrealistic weight-loss claims
Urgency (“Vorrat ist aufgebraucht!”)
Brand impersonation

Task 5 — Final Decision

Choose one:

A. Legitimate marketing email
B. Spam
C. Malicious phishing
D. Needs further investigation

Explain your reasoning.

💡 Hints (Optional for Trainees)

Legitimate newsletters never use different Reply-To domains.
DMARC fail = domain misalignment = spoofing.
URL shorteners hide malicious redirects.
SCL score of 5 = likely spam.
.shop domains are often used in scam campaigns.

PreviousDay 15 — Advanced Phishing Investigation NextDay-17: — “The Unusual Sign-In

Last updated 3 months ago

hashtag📜 Challenge Description

hashtag📬 Provided Artifact: Email Header Sample

hashtag🎯 Objectives

hashtag🔍 Tasks

hashtagTask 1 — Header Analysis

hashtagTask 2 — Authentication Check

hashtagTask 3 — URL & Domain Analysis

hashtagTask 4 — Content Analysis

hashtagTask 5 — Final Decision

hashtag💡 Hints (Optional for Trainees)