BLOG (HTTPS://SQRRL.COM/COMPANY/BLOG/) TEST DRIVE VM (HTTP://INFO.SQRRL.

COM/TRIAL-SOFTWARE-VM-1)

SUPPORT PORTAL (HTTPS://PORTAL.SQRRL.COM) PARTNER PORTAL (HTTP://PARTNERS.SQRRL.COM/)

CONTACT US (HTTPS://SQRRL.COM/COMPANY/CONTACT-US/)

THREAT HUNTING THROUGH EMAIL HEADERS

(/blog/)

(/hunting-email-headers/)

August 22, 2017 by Hem Karlapalem (https://sqrrl.com/threat-hunter-pro le-hem-karlapalem/)

THREAT HUNTING THROUGH EMAIL HEADERS

The art of Threat Hunting can be especially fun when dealing with isolated individual
pieces of puzzle. This article brings out the importance of email header analysis and how
it can help in a hunt trip. Email header analysis is one of the oldest techniques employed
by incident handlers and this article tries to revive this old technique to see how it can be
looked at through the lens of Threat Hunting. Since plenty of threat campaigns using
email as a vector to distribute Malware and spam infrastructure, understanding the
various email headers will help threat hunters to nd missing links.

Overview on Email Headers

Email headers contain information which is used to track an individual email, detailing the
path a message takes as it crosses mail servers. This is especially helpful when
investigating SPAM, MalSPAM and phishing emails. Though there have been tools
developed such as Email Gateways which can catch this, at times it is still necessary for a
hunt team or threat intel team to use email header analysis to track a threat actor,
campaign, or infrastructure.

As per the RFC 2822 from IETF, an email message consists of header elds followed by a
message body. The header lines are used to identify particular routing information of the
message, including the sender, recipient, date and subject. Some headers are mandatory
like FROM, TO and DATE. Other header information includes the sending timestamps and
the receiving timestamps of all the mail transfer agents(MTA) that have received and sent
the message.

Important elds that could be of interest are:

1. Origination date eld

The origination date speci es the date and time at which the creator of the message
indicated that the message was complete and ready to enter the Mail delivery
system. So, this is the time that a user pushes the send or submit button in an
application program

2. Originator Fields
The originator elds of a message consist of the below elds and indicates the
source of the message.
a) From
This eld speci es the author(s) of the message i.e, the mailbox(es) of the person(s)
or the system(s) responsible for writing the message.
b)Sender
This eld speci es the mailbox of the agent responsible for the actual transmission
of the message. For example, if Person A is sending a mail on behalf of another
Person B, the mailbox of Person A would appear in the Sender: eld and the mailbox
of the actual author would appear in the From: eld.
c)Reply-to
This is an optional eld. If present, it indicates the mailbox(es) to which the author of
the message suggests that replies be sent. In the absence of this eld, replies should
by default be sent to the mailbox(es) speci ed in the From: eld. In many cases,
phishing authors have exploited this eld by having this enabled so that the
 recipient/victim of this mail might send the information to a different unintended
mailbox.

3. Destination Address Fields

The destination address elds specify the recipients of the message.
a.ToThis eld contains the address(es) of the primary recipient(s) of the message.
b.Cc
This eld abbreviated as Carbon Copy contains the addresses of others who are to
receive the message, though the content of the message may not be directed at
them.
c.Bcc
This eld abbreviated as Blind Carbon Copy contains addresses of recipients of the
message whose addresses are not to be revealed to other recipients of the message.

4. Identi cation Fields

These are optional as below:
a. Message-ID
Every message should have a Message-ID: eld. The Message-ID: eld contains a
single unique message identi er that refers to a particular version of a particular
message. A message identi er pertains to exactly one instantiation of a particular
message and subsequent revisions to the message each receive new message
identi ers. The generator of the message identi er MUST guarantee that the msg-id
is unique.
b.In-reply-to
The contents of this eld identify previous correspondence which this message has
answered.
c.References
The contents of this eld identify other correspondence which this message
references. Also, one more point to be noted is that all reply messages should have
In-Reply-To: and References: elds.

5. Informational Fields
These are all optional.
a.Keywords
The keywords: eld contains a comma-separated list of one or more words or
quoted-strings.
b.Subject
This is the most common eld and contains a short string identifying the topic of the
message.
c.Comments
 This eld contains any additional comments on the text of the body of the message.
The Subject: and Comments: elds are unstructured.
d. Encrypted
If data encryption is used to increase the privacy of message contents, the
ENCRYPTED eld can be used to indicate the nature of the encryption.

6. Trace Fields
These are a group of header elds which provides trace information and which are
used to provide an audit trail of message handling. In addition, it also indicates a
route back to the sender of the message.
a. Return-Path
This eld is added by the nal transport system that delivers the message to its
recipient. The eld is intended to contain de nitive information about the address
and route back to the messages originator.
b. Received
A copy of this eld is added by each transport service that relays the message. The
information in the eld can be helpful while troubleshooting any network problems as
well as while investigating Phishing and SPAM.

7. Additional Fields
Additionally, there are parameters as below which helps in investigation.
a.VIA
The VIA parameter may be used to indicate what physical mechanism the message
was sent over
b. WITH
The WITH parameter may be used to indicate the mail or connection level protocol
that was used, such as SMTP or X.25 transport protocol.
c. Date and Time Speci cation
The headers will also carry the date, time zone information which would be one of the
key information to investigate.
d.User-Agent
This eld speci es the client software or program used by the source to send the mail

Note: Email headers should always be read from Bottom to Top

Overview of Email Inbound and Outbound

An Email program like MS Outlook is a client application that needs to interact with a mail
server. Typically, there are two servers, one for incoming and the other one for outgoing
email. The client receives email through one of the three below protocols,
 Post O ce Protocol (POP)

Internet Message Access Protocol (IMAP)

Microsoft Mail API (MAPI)

All incoming mail is stored on a mail server and further distributed into the appropriate
mailbox. POP Users can download all their mail. They can further store or delete them. So,
in case of POP, all incoming emails are stored on a users workstation.

On the other hand, IMAP and MAPI users have the option of leaving their email on the
server, though they can make copies on their own workstation.

All Outgoing mail uses the Simple Mail Transfer Protocol (SMTP). Its objective is to
transfer mail reliably and e ciently. SMTP is the only protocol used to transport mails
across networks, usually referred to as SMTP Mail Relaying.

SMPT Basic Structure

(https://sqrrl.com/media/Screen-Shot-2017-08-09-at-11.19.44-PM-1.png)

Sample Email Header and Fields of Interest

Below are the email headers for one of the Malspam campaigns found to distribute JAFF
ransomware. The ones marked in BOLD are the interesting headers for performing
hunting.

Received: from breakawaydistributing.com ()

by creativedude248726@gmail.com;
Tue, 11 Apr 2017 14:12:51 +0000 (UTC)
Message-ID: <D5342094.84830072@breakawaydistributing.com>
Date: Tue, 11 Apr 2017 07:12:24 -0700
Reply-To: USPS International <lrnvaoy1467488@breakawaydistributing.com>
From: USPS Ground <lrnvaoy1467488@breakawaydistributing.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.14)
Gecko/20080421 Thunderbird/2.0.0.14
X-Accept-Language: en-us
MIME-Version: 1.0
To: creativedude248726@gmail.com
Subject: Our USPS courier can not contact you parcel # 754277860
Content-Type: text/plain;
charset=us-ascii
Content-Transfer-Encoding: 7bit

Email headers can be parsed online with the help of below tools,

Mx Toolbox (https://mxtoolbox.com/EmailHeaders.aspx)

Message header analyzer

(https://testconnectivity.microsoft.com/MHA/Pages/mha.aspx)

However, in some cases due to the con dentiality of the mail and due to organizational
policies, you might be refrained from using these online tools.
Ive made a simple tool emailHeaderParser which can be used o ine mentioned in the
references.

Email Abuse Overview

Email still remains the preferred threat vector for most threat actors to deliver malicious
payloads to victims. As per statistics from Securelist (https://securelist.com/statistics/),
Mal Spam has contributed to more than 66% to attacks globally.

Typically, below are the various types of Email abuse that we come across in the cyber
realm.

Mal SPAM Malicious payloads

As Attachments (zip archives, MS O ce documents, PDF etc]

A malicious URL in the body which downloads a payload

 SPAM often clubbed with social engineering techniques and by spoo ng display
names pretending to be from legit brands

Business Email compromise [CEO Attacks, Spear-Phishing] targeting individuals

Emails targeting Individuals or Entities with an intent of Threatening

All the above forms of attack attempts to trick the victims to either open the attachment,
click on the URL or act on the mail which would be devastating at a later stage.

From an investigation perspective, the email headers that we have discussed in the earlier
sections are all helpful to track back to its origin and to immediately respond with
appropriate measures like blocking the source etc. The richer the messaging media, the
more opportunity for the adversaries to camou age malicious content within the rich
content.

However, with all the sophistication on the malicious actor end, it is necessary to
understand what the actual embedded data are, where it is coming from, whether the
source has been spoofed or not, and so on.

Methods for Hunting:

Tracking Back to the Source

The FROM header helps identify the sender of the mail. However, that can be spoofed. So,
most of the time, this may not be a vital data point. However, in widespread campaigns,
the same sender might be used for all the mail sent. To overcome SPAM lters, attackers
have come up with new technique called a Hailstorm attack where every sender is
unique.

The FROM address could be searched across the Internet with the help of Google Dorks
(https://www.exploit-db.com/google-hacking-database/) to see if there is any history for
this and if anyone else has already observed this.

From: "USPS Ground" <lrnvaoy1467488@breakawaydistributing.com>

The RECEIVED header is another vital information source which helps to understand
where the mail has traversed (or hopped). Basically, these hops would be mail relays &
servers. With this header, the senders infrastructure and location could be located
through the IP Address that gets captured that helps with attribution. From there, these
IP addresses can be checked against existing blacklists to identify anything malicious.

(https://sqrrl.com/media/Screen-Shot-2017-08-09-at-11.28.32-PM.png)

The REPLY-TO eld is normally lled in with the email address for replying to the
message. This is another sign of the email to be malicious.

The MESSAGE-ID eld provides a nice clue as to the actual origin of the mail. Message-
identi ers are supposed to be unique identi ers and a common technique is to use the
date and time of the message generation as the source of the rst part of the message ID.
This along with the Date eld helps us to identify the country from where the email has
originated. Lastly, the domain information in the message ID helps to identify the actual
domain associated with this email.

Message-ID: <D5342094.84830072@breakawaydistributing.com>

Leveraging Threat Intelligence

Message-ID: <D5342094.84830072@breakawaydistributing.com>
There are numerous threat intel vendors who offer premium services and maintain the
inventory of these malicious actors. Also, there are a few open source threat intel
(https://www.linkedin.com/pulse/8-great-sites-cyber-threat-intel-ely-kahn) sites which
carry information about malicious email actors. So, its always a good idea to compare
the captured email headers to known IOCs to understand if the email was part of a
targeted attack or just general spamming. With email fraud continuing to rise, new ways
of securing attribution (especially by leveraging email threat intelligence) is highly
recommended in addition to your other security practices.
For example, lets say we have an IOC pertaining to a campaign in the form of email IDs,
source addresses etc. Running this against the email headers in an automated way would
help to see if the organizations infrastructure is impacted as well by the same threat
actor/campaign. However, in case of Snow-Shoe campaigns, the spammers use various
source IP Addresses to dilute reputation metrics and evade lters. Threat Intelligence here
can be of great help!

Below is the list of possible IOCs for lookup on collected email header data.

FROM email addresses

Originating IP Addresses

Attachment Names

Embedded URLs

Subject Line

Display Name

The most frequently spoofed header from eld is the Display Name, for which there is
currently no authentication mechanism available.

While we cant say for certain that these would help in detection, they are really helpful in
drawing in statistics through big data platforms.

Bulk Analysis through Analytics platforms

Subject elds can be analyzed by the content they include, such as shipping orders
clubbed with a randomly generated number for every spam mail targeting the
organization to evade the lters.

Below are few indicators which can be automated and can be run against the huge header
data collected.

From: eld

Misspelled domain names

Misspelled senders name

Improper capitalization
 Domain names that do not match the supposed seller

Gibberish in the email address

Unknown senders

To: eld

Multiple recipients

Unrelated recipients

Odd groupings of recipients

Attachments:

Email attachments you are not expecting to receive

Files which appear to have double extensions (like photo.jpg.exe)

Subject line:

Subjects which convey a sense of urgency

Subjects which try to scare us or tempt us with something illicit

Subject lines which dont match the content of the message

Strange wording, poor grammar, misspellings, and odd capitalization

Emails which appear to be replies to messages we never sent

Also, conducting behavioral analysis on data collected with the above parameters could
help you nd the needle in a haystack. There are different data analysis packages
available in Python, R which could help to nd some interesting patterns. Commercial
Security Analytics solutions also could help with the advanced techniques like Linked-
Data Analysis.

At an organizational level, performing analytics might be time-consuming and expensive.

However the kind of value that it generates through some patterns is in no comparison
with the damages that might arise.

Conclusion

Humans are fallible and it is inevitable that at least one person in your organization is
going to open a malicious email.
However, knowing what to do afterwards is as important as knowing how to avoid danger
in the rst place. As a closing note, below are the various ways in combatting email.

Do not trust that any message that you receive is legitimate, treat it with suspicion

Look at messages for content, misspellings and other anomalies

Do not click on any embedded links

Do not open any attachments

Keep your antivirus software up to date

O ine Header Parsing Tool https://github.com/krlplm/parseemailheader

(https://github.com/krlplm/parseemailheader)

(http://info.sqrrl.com/trial-software-vm-1)
(https://sqrrl.com/latest-sqrrl-2-8-release-arms-threat-hunters-with-powerful-new-tools/)

August 17, 2017 by Sqrrl Team (https://sqrrl.com/author/george/)

ARM YOUR THREAT HUNTERS WITH SELF-SERVICE

ANALYTICS (HTTPS://SQRRL.COM/LATEST-SQRRL-2-
8-RELEASE-ARMS-THREAT-HUNTERS-WITH-
POWERFUL-NEW-TOOLS/)
The new Sqrrl Enterprise 2.8 introduces an enhanced risk framework and powerful new
analytic tools to simplify, accelerate, and amplify threat hunting. The new framework
empowers analysts to create their own custom-built threat hunting analytics (risk
triggers) (https://www.youtube.com/watch?v=JjrymWIxaSs&t) without having to write
any code. The extensible framework also now includes triggers which enrich Sqrrls built-
in analytics by incorporating correlated information from external sources of risk like
SIEM alerts and threat intelligence feeds for every user, IP address, host, and domain
inside the organization.

READ MORE
(https://sqrrl.com/latest-sqrrl-2-8-release-arms-threat-hunters-with-powerful-new-tools/)

Next Post
 Subscribe to Blog
Browse by Topic

Email Address
Threat Hunting
SUBSCRIBE

Featured Posts

The Nuts and Bolts of

Detecting DNS Tunneling

By Sqrrl Team
(/the-nuts-and-bolts-of-
detecting-dns-tunneling/)

Scoping Attacks By
Resources
Following Attacker
Breadcrumbs
Webinar
By Chris Sanders
(/scoping-attacks-by- Threat Hunting for Data
following-attacker-
breadcrumbs/) Staging and Ex ltration
(http://info.sqrrl.com/hunting-
for-data-staging-and-
ex ltration)
The Hunters Den:
Command and Control eBook

By Josh Liburdi Hunt Evil: Your Practical

(/the-hunters-den-
command-and-control/)
(http://info.sqrrl.com/practical-
A Framework for Cyber
Threat Hunting Part 1: The
Pyramid of Pain
By Sqrrl Team
(/a-framework-for-cyber-
Guide to Threat Hunting
guide-to-threat-hunting-
ebook)
Whitepaper
The Who, What, Where,
When, Why and How of
Effective Threat Hunting
(/a-framework-for-cyber- Effective Threat Hunting
threat-hunting-part-1-the-
pyramid-of-pain/) (http://info.sqrrl.com/sqrrl-
sans-hunting-white-paper)

Whitepaper
A Framework for Cyber
Threat Hunting Part 2:
Technical Guide: Nuts and
Advanced Persistent
Bolts of Sqrrls Threat
Defense
Hunting Platform
(http://info.sqrrl.com/sqrrl-
By Sqrrl Team product-paper-0)
(/a-framework-for-cyber-
threat-hunting-part-2-
advanced-persistent-
defense/)

Threat Hunting for

Command Line Process
Execution

By Chris Sanders
(/threat-hunting-for-
command-line-process-
execution/)

Watch Overview

(https://www.youtube.com/watch?
v=VI_zLBc4KQM&t&width=640&height=480)
 SQRRL NEWSLETTER
Twitter Feed
Subscribe to our mailing list
(https://twitter.com/SqrrlData) @ (http://www.twitter.com/) 15 Sep
Find out how attackers stage network data to be stolen-- and
how to detect it: https://t.co/F5FRT6nEBO
(https://t.co/F5FRT6nEBO) https://t.co/cimSsb150T
(https://www.facebook.com/SqrrlData)
(https://t.co/cimSsb150T)
@ (http://www.twitter.com/) 15 Sep
Wondering how to start #threathunting
(https://plus.google.com/116795302724746825954/posts)
(https://twitter.com/search?q=%23threathunting&src=hash)?
This SANS paper lays out the essentials:
https://t.co/WgLu1dNR49 (https://t.co/WgLu1dNR49) #SOC
(https://www.linkedin.com/company/sqrrl) (https://twitter.com/search?q=%23SOC&src=hash)
https://t.co/Hc9QRb6Hbo

FOLLOW US ON TWITTER (https://twitter.com/SqrrlData)

(http://www.youtube.com/user/sqrrldata)

PRODUCT SOLUTIONS PARTNERS SERVICES RESOURCES COMPANY

(/PRODUCT/SQRRL- (/SOLUTIONS/USE- (HTTPS://SQRRL.COM/THE- (/SERVICES/SQRRL- (/RESOURCES/) (/COMPANY/OVERVIEW/)
ENTERPRISE) CASES/) SQRRL-PARTNER- ENTERPRISE- Datasheets Overview
Sqrrl Enterprise Use Cases PROGRAM/) SUPPORT/) (/Resources/#Datasheet)
(Https://Sqrrl.Com/Company/Overvie
(Https://Sqrrl.Com/Product/Sqrrl-
(Https://Sqrrl.Com/Solutions/Use-
Threat Hunting Sqrrl Enterprise EBooks Team
Enterprise/) Cases/) Ecosystem Support (/Resources/#Ebook) (/Company/Team/Management)
Technology Cyber Threat (Https://Sqrrl.Com/The-
(Https://Sqrrl.Com/Services/Sqrrl-
Hunting Sqrrl-Partner- Enterprise-Support/) Quick Reads Advisors
(Https://Sqrrl.Com/Product/Architecture/) Program/) (/Resources/#Quick- (Https://Sqrrl.Com/Company/Team/A
Architecture (Https://Sqrrl.Com/Solutions/Cyber-
Threat-Hunting/) Technology Read) Blog
(Https://Sqrrl.Com/Product/Architecture/) (/Partners/Technology)
Cyber Incident Reports (Http://Blog.Sqrrl.Com)
Security Behavior Investigation Sales (/Resources/#Report) News Room
Graph (Https://Sqrrl.Com/Solutions/Cyber-
(/Partners/Sales)
(Https://Sqrrl.Com/Product/Behavior- Videos (Https://Sqrrl.Com/Company/News/)
Graph/) Incident-Response- (/Resources/#Video) Careers
And-Investigation/)
User And Entity Webinars (Https://Sqrrl.Com/Company/Careers
Behavior Analytics (/Resources/#Webinar)Contact Us
(Https://Sqrrl.Com/Product/User- Whitepapers (Https://Sqrrl.Com/Company/Contac
And-Entity-Behavior- (/Resources/#Whitepaper)
Us/)
Analytics-Ueba/)
Test Drive VM GET A DEMO BLOG (/BLOG/) CONTACT US
(Http://Info.Sqrrl.Com/Trial-
(HTTP://INFO.SQRRL.COM/SQRRL- (HTTPS://SQRRL.COM/COMPANY/CONTACT-
Software-Vm-1) ENTERPRISE- US/)
DEMO-REQUEST)

2017 Sqrrl Data, Inc. All rights reserved.

Contact Us (https://sqrrl.com/company/contact-us/) Careers (https://sqrrl.com/company/careers/)

Privacy Policy (https://sqrrl.com/privacy-policy/) Terms (https://sqrrl.com/terms/)