Last week Marriott International breach resulted in over 500 Million compromised records. These records contained personal and private information of individuals across the globe as well as corporate information.  Undoubtedly, those of us who had their information stolen should expect phishing messages designed to steal more information or compromise your computers.  So it is important that we all know how to identify a phishing email when it arrives. 

The types of phishing emails are as varied as there are fish in the sea.  Some are very clearly and easily detected, others are very difficult.  Some look like generic advertisements others personalized to you from your bank and even still others appear to come from someone trusted in your organization or family.  Regardless of the approach used or the quality of the crafted email, phishing emails all have some common characteristics.  Let’s take a look at a few different phishing emails we pulled from our email filter and learn from them.

Simple, but Targeted Phishing

The above is an attempt at what we call Whaling – or going after the big fish in the company.  Peter Bybee is our CEO and Bill Lyman is our CFO.  In this attempt the sender is clearly trying to accomplish the following:

  1. Trick Bill into believing that Peter sent the email
  2. Assumes (or hopes) Bill is busy and will quickly reply out of reflex rather than really looking at the email.
  3. Hopes that Bill will reply to the email, in which case the attacker would probably follow up with an email that contains a link or attachment or perhaps with instructions to wire money somewhere.

Here are a few things that made this easy for our CFO to identify.

  • The email address does not match the sender’s name.  In the outlook inbox, you may not see this disconnect (which is why these sometimes work), but opening the email makes it very evident.
  • Bad spelling or grammar
  • Used the name William instead of Bill.  People who work as closely together as a CEO and CFO do will use the preferred name, not full name in most cases.

Standard Targeted Phishing

This one is fairly similar to what you might expect from a Marriott type email.  Appears to come from a legitimate source, in this case Cintas Corporation, with a professional signature. But this too is a fairly easy phishing email to identify.  Just like the previous email, this one has bad grammar and an email address that does not match the sender (clearly, we’d expect the sender’s email address to actually be from Cintas).  Here are some other clues:

  • This email makes the mistake if simply just saying “Hello”. The content of the email suggests they had a call earlier that day. We would expect it to be somewhat informal, but at least mention the recipient’s name.
  • Not just bad grammar, but bad English.  You would not expect a professional from Chicago to have a more professional email.
  • There is an attachment of some sort in the email. It’s good best practice not to open them.
  • The link at the bottom of the signature block is a clear and evident sign of phishing. It is not tied to Cintas Corporation, it has a foreign top-level domain (.ga), and simply doesn’t match the sender.  The sender probably intended to send this as an embedded hyper link rather than just a link in full view.

Using the Email Header

If you get an email in which you are not sure if it is phishing or not you could always do a bit of analysis of the email header to see the behind the scenes information. To find the header (in an Outlook email) expand the Tags section in the menu bar, when open you will see the internet headers.  It is easiest to simply copy everything in the Internet Headers box and paste it into a Notepad++ or Word document and work from there.

Then

Here is the email header:

Received: from *****.securityondemand.com (###.###.###.###) by

 *****.securityondemand.com (###.###.###.###) with Microsoft SMTP Server

 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384) id

 15.1.845.34 via Mailbox Transport; Tue, 30 Oct 2018 09:55:30 -0700

Received: from *****.securityondemand.com (###.###.###.###) by

 *****.securityondemand.com (###.###.###.###) with Microsoft SMTP Server

 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384) id

 15.1.845.34; Tue, 30 Oct 2018 09:55:29 -0700

Received: from dispatch1-us1.*****-hosted.com (###.###.###.###) by

 *****.securityondemand.com (###.###.###.###) with Microsoft SMTP Server

 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384) id

 15.1.845.34 via Frontend Transport; Tue, 30 Oct 2018 09:55:29 -0700

X-Virus-Scanned: *********

Received: from o2.0qt.s2shared.sendgrid.net (o2.0qt.s2shared.sendgrid.net [167.89.106.6])

               (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))

               (No client certificate requested)

               by mx1-us2.***-hosted.com (********) with ESMTPS id 10AC71C007A

               for <******@securityondemand.com>; Tue, 30 Oct 2018 16:55:27 +0000 (UTC)

DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=sendgrid.net;

               h=content-type:from:mime-version:reply-to:subject:to; s=smtpapi;

               bh=XfWMs63Jim2OALhkEN4ocNtFwJk=; b=cxX33sflpp69k4/tQADeQZZjcic8n

               htnuE5TdXiJi+0HZukeYtH2b87BnrLKNP7lGUKeCBQJG2/jlaeJCGacjeFbhnA7B

               19DxSrztBJ8nCG1o87Ovwmpuc6WZi3xZheiYY9ZtYsgdaX+PezdD115OKIKiR2+n

               egly8dINs83d04=

Content-Type: multipart/alternative; boundary=efb4f2511f664b430a1466453177b7cdc9d1c8b40c67a811480f3f9f2c72

Date: Tue, 30 Oct 2018 16:55:20 +0000

From: “Matthew Sich” <jjiang@hcvpartner.com>

Mime-Version: 1.0

Reply-to: jjiang@hcvpartner.com

Subject: Aging report – Overdue

To: ******@securityondemand.com

Message-ID: <Hrv9RQEDRJKyegyxTJ2llA@ismtpd0001p1iad1.sendgrid.net>

X-SG-EID: X1tdhtYU2ZS7E2LMWBBh81UIkeOH80Yfvv8/iMcg/wJViv6IaVyDzYtZEj049KonDlC8Pd3SWN7gAw

 3PNj9nto5Cc/ro2kmjnXLZ0a/V5DLEp46Np3VUEvrPEFZLI/OUlCdcj4DgxAwUyLsFVrYwxerFbK7Y

zXzdVaTQV2evFp7B/UiFp5va/WySyj9cC5a5q2kt8CNR/ui4Z6MpE57QUDuWqJlzvrpS7emgCLy9TW g=

X-SG-ID: Z2FxZazunBjVeNuNdzHDqrF8mxuCpi0krmont6YQrP0CrqP0YG0hwfvHYAkj/d5YxPMGIE9aLM+f7j

IdnaFKmFhgBLkbwYL/aVFKykx8S5X0z3HGSvYgKeZPxOMWWwvJfwFQZt4b+hiM9nyW/CGEqNKpOa+JxU1P3OXizyaWAYo=

X-MDID: 1540918529-kZTpxyeaZFG5

Return-Path: bounces+8651949-f31a-****=securityondemand.com@sendgrid.net

X-MS-Exchange-Organization-Network-Message-Id: e39dee96-c0bd-4913-82c4-08d63e887faa

X-MS-Exchange-Organization-AVStamp-Enterprise: 1.0

X-MS-Exchange-Organization-AuthSource: ****.securityondemand.com

X-MS-Exchange-Organization-AuthAs: Anonymous

X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.3437809

In the above header, some things you will want to look at and also look for (that are not here in this header):

  • The path the email took to get to your inbox goes from closest to furthest as you read through the header. So sometimes, you can identify the mail server IP address that the email actually came from. In this case, we are fortunate, and we have the IP. In this case it is: 167.89.106.6. This IP, we know from the domain in front of it, belongs to sendgrid.net (Not Centas) and a quick internet and WhoIs search tells us this is registered in Denver, CO and has been reported for illicit activity in the past.
  • Some (this does not) will have an X-Forward-For or X-Originating-IP field which will also give you the IP address where it came from.
  • The “From” line confirms the email address and the name don’t match
  • Sometimes the “Reply-To” field will be populated with a different email address. No legitimate email will have that unless it is a “do-not-reply” type email.
  • Some headers will also have an X-Mailer field which will tell you what email server / application was used to craft and send the email.  This can identify an obscure application that either is not common in U.S. corporate environments or is mostly used overseas.

These are just a few of the tips you can use to identify a phishing email.  In all candor, if you are not an information security professional, you probably do not need to get into the email header. Simply report the email up to your security team.  

Email Best Practices

Phishing emails are common and the ones that I presented herein are not the most sophisticated you will see. Sometimes they are much more difficult to discern.  So I follow a few simple rules that keep me safe from phishing:

  1. Only open emails from sources that I know and/or was expecting
  2. Do not click links in emails, I manually browse to what was linked if I can
  3. Do not open attachments unless I was expecting the attachment and am completely confident it is legitimate.
  4. If it smells phishy, it probably is.  I trust my gut. 

On this last point, this has saved me more than any other tip in this guide.  A couple of months ago, I received a well-crafted phishing email that appeared to come from one of our executives.  Almost everything about it looked legitimate, but it just did not seem right to me.  After taking a closer look at the email address it that sent it, it was sent from an email address that was just one letter off from their legitimate address.  My gut’s suspicions were confirmed.   

Phishing is the #1 way hackers are finding success and compromising computers and corporate enterprises. The more you can do to familiarize yourself with how to identify phishing emails the safer you will be.  Education and experience does far more to protect you and your organization from phishing than any amount of email security applications you can employ.

Contact Us

We're threat hunting! Send us a quick email here and we will get back to you asap.

Not readable? Change text. captcha txt

Start typing and press Enter to search