(Writeup) LetsDefend Challenge - Phishing Email

Welcome

#

• LetsDefend is a Blue Team Training platform.
• This writeup documents a beginner-level challenge focused on analyzing email files for header tricks and mismatches.

Challenge Overview

#

Role Targeted: Security Analyst
Skill Level: Beginner

Scenario:

#

Your email address has been leaked and you receive an email from Paypal in German. Try to analyze the suspicious email.

File location: C:\Users\LetsDefend\Desktop\Files\PhishingChallenge.zip 
Password: infected

This challenge prepared by @Fuuji

Investigation Workflow

#

This challenge simulates a phishing scenario.

We are given a phishing email, and we are to analyze it to answer the following questions:

1. What is the return path of the email?
2. What is the domain name of the url in this mail?
3. Is the domain mentioned in the previous question suspicious?
4. What is the body SHA-256 of the domain?
5. Is this email a phishing email?

Thoughts:

#

“Emails are essentially plain text. So while I could open this in outlook or thunderbird, I’m just going to open this in Notepad++ and give it a look. I should be able to answer the questions with that.”

Analysis

#

1. “Return-Path” is easy to find in the header.
   • Line 27: [email protected]
2. URL in the email implies it’ll be in the body.
   • Line 104: storage.googleapis.com
3. We can throw it in LOTS-Project to find out!
   • Tags “Phishing, Download, Exfiltration, C&C”: Yes
4. Of the domain? Odd question… To VirusTotal
   • SHA-256: 13945ecc33afee74ac7f72e1d5bb73050894356c4bf63d02a1a53e76830567f5
5. For the many anomalous reasons:
   • Yes

Key Takeaways

#

“Analyzing email headers is pretty easy. But the key takeaway I see here is the reminder that adversaries utilize trusted websites in various ways! Shout out LOTS-Project!”