Analysing Potentially Malicious Emails with PhishTool

Posted on July 28, 2023  •  2 minutes  • 256 words  • Other languages:  Türkçe

Disclaimer: This text is provided without any support of PhishTool Ltd. and aims to provide a guideline for professionals.

Introduction

PhishTool is a sandbox and a community tool for reverse engineering to analyse suspicious emails, metadata, and attachments safely.

When we receive a potentially malicious attachment in an email, how can we analyze it? That is the question that was asked in a learning room of TryHackMe.

Information Gathering and Analysis

In that text, I’ll focus on uploading a suspicious email to PhishTool, what kind of information we can gather and how it could help to detect malicious phishing emails.

After registering and accessing the Analysis section, we can upload the email to gather its headers, received lines, x-headers, attachments, etc. It has an integration option for Microsoft 365 and Google Workspace.

In that first image, we can gather “from, to, cc, timestamp, reply-to and originating IP data”. It also shows the email’s rendered, plaintext, HTML, and source type view on the same screen.

In the security tab, it provides information regarding Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication Reporting and Conformance (DMARC).

The attachments tab provides the potentially malicious file’s hashes for further analysis. It is also possible to integrate with VirusTotal.

In conclusion, PhishTool is a good analysis tool, even for personal projects, because the free version allows further analysis of whether an email or its attachment is malicious. Did you receive a suspicious email, and would you like to analyze it? Then that platform is worth a try.