Escolar Documentos
Profissional Documentos
Cultura Documentos
COM/TRIAL-SOFTWARE-VM-1)
CONTACT US (HTTPS://SQRRL.COM/COMPANY/CONTACT-US/)
(/blog/)
(/hunting-email-headers/)
As per the RFC 2822 from IETF, an email message consists of header elds followed by a
message body. The header lines are used to identify particular routing information of the
message, including the sender, recipient, date and subject. Some headers are mandatory
like FROM, TO and DATE. Other header information includes the sending timestamps and
the receiving timestamps of all the mail transfer agents(MTA) that have received and sent
the message.
2. Originator Fields
The originator elds of a message consist of the below elds and indicates the
source of the message.
a) From
This eld speci es the author(s) of the message i.e, the mailbox(es) of the person(s)
or the system(s) responsible for writing the message.
b)Sender
This eld speci es the mailbox of the agent responsible for the actual transmission
of the message. For example, if Person A is sending a mail on behalf of another
Person B, the mailbox of Person A would appear in the Sender: eld and the mailbox
of the actual author would appear in the From: eld.
c)Reply-to
This is an optional eld. If present, it indicates the mailbox(es) to which the author of
the message suggests that replies be sent. In the absence of this eld, replies should
by default be sent to the mailbox(es) speci ed in the From: eld. In many cases,
phishing authors have exploited this eld by having this enabled so that the
recipient/victim of this mail might send the information to a different unintended
mailbox.
5. Informational Fields
These are all optional.
a.Keywords
The keywords: eld contains a comma-separated list of one or more words or
quoted-strings.
b.Subject
This is the most common eld and contains a short string identifying the topic of the
message.
c.Comments
This eld contains any additional comments on the text of the body of the message.
The Subject: and Comments: elds are unstructured.
d. Encrypted
If data encryption is used to increase the privacy of message contents, the
ENCRYPTED eld can be used to indicate the nature of the encryption.
6. Trace Fields
These are a group of header elds which provides trace information and which are
used to provide an audit trail of message handling. In addition, it also indicates a
route back to the sender of the message.
a. Return-Path
This eld is added by the nal transport system that delivers the message to its
recipient. The eld is intended to contain de nitive information about the address
and route back to the messages originator.
b. Received
A copy of this eld is added by each transport service that relays the message. The
information in the eld can be helpful while troubleshooting any network problems as
well as while investigating Phishing and SPAM.
7. Additional Fields
Additionally, there are parameters as below which helps in investigation.
a.VIA
The VIA parameter may be used to indicate what physical mechanism the message
was sent over
b. WITH
The WITH parameter may be used to indicate the mail or connection level protocol
that was used, such as SMTP or X.25 transport protocol.
c. Date and Time Speci cation
The headers will also carry the date, time zone information which would be one of the
key information to investigate.
d.User-Agent
This eld speci es the client software or program used by the source to send the mail
An Email program like MS Outlook is a client application that needs to interact with a mail
server. Typically, there are two servers, one for incoming and the other one for outgoing
email. The client receives email through one of the three below protocols,
Post O ce Protocol (POP)
All incoming mail is stored on a mail server and further distributed into the appropriate
mailbox. POP Users can download all their mail. They can further store or delete them. So,
in case of POP, all incoming emails are stored on a users workstation.
On the other hand, IMAP and MAPI users have the option of leaving their email on the
server, though they can make copies on their own workstation.
All Outgoing mail uses the Simple Mail Transfer Protocol (SMTP). Its objective is to
transfer mail reliably and e ciently. SMTP is the only protocol used to transport mails
across networks, usually referred to as SMTP Mail Relaying.
(https://sqrrl.com/media/Screen-Shot-2017-08-09-at-11.19.44-PM-1.png)
Below are the email headers for one of the Malspam campaigns found to distribute JAFF
ransomware. The ones marked in BOLD are the interesting headers for performing
hunting.
Email headers can be parsed online with the help of below tools,
Mx Toolbox (https://mxtoolbox.com/EmailHeaders.aspx)
However, in some cases due to the con dentiality of the mail and due to organizational
policies, you might be refrained from using these online tools.
Ive made a simple tool emailHeaderParser which can be used o ine mentioned in the
references.
Email still remains the preferred threat vector for most threat actors to deliver malicious
payloads to victims. As per statistics from Securelist (https://securelist.com/statistics/),
Mal Spam has contributed to more than 66% to attacks globally.
Typically, below are the various types of Email abuse that we come across in the cyber
realm.
All the above forms of attack attempts to trick the victims to either open the attachment,
click on the URL or act on the mail which would be devastating at a later stage.
From an investigation perspective, the email headers that we have discussed in the earlier
sections are all helpful to track back to its origin and to immediately respond with
appropriate measures like blocking the source etc. The richer the messaging media, the
more opportunity for the adversaries to camou age malicious content within the rich
content.
However, with all the sophistication on the malicious actor end, it is necessary to
understand what the actual embedded data are, where it is coming from, whether the
source has been spoofed or not, and so on.
The FROM header helps identify the sender of the mail. However, that can be spoofed. So,
most of the time, this may not be a vital data point. However, in widespread campaigns,
the same sender might be used for all the mail sent. To overcome SPAM lters, attackers
have come up with new technique called a Hailstorm attack where every sender is
unique.
The FROM address could be searched across the Internet with the help of Google Dorks
(https://www.exploit-db.com/google-hacking-database/) to see if there is any history for
this and if anyone else has already observed this.
The RECEIVED header is another vital information source which helps to understand
where the mail has traversed (or hopped). Basically, these hops would be mail relays &
servers. With this header, the senders infrastructure and location could be located
through the IP Address that gets captured that helps with attribution. From there, these
IP addresses can be checked against existing blacklists to identify anything malicious.
(https://sqrrl.com/media/Screen-Shot-2017-08-09-at-11.28.32-PM.png)
The REPLY-TO eld is normally lled in with the email address for replying to the
message. This is another sign of the email to be malicious.
The MESSAGE-ID eld provides a nice clue as to the actual origin of the mail. Message-
identi ers are supposed to be unique identi ers and a common technique is to use the
date and time of the message generation as the source of the rst part of the message ID.
This along with the Date eld helps us to identify the country from where the email has
originated. Lastly, the domain information in the message ID helps to identify the actual
domain associated with this email.
Message-ID: <D5342094.84830072@breakawaydistributing.com>
Message-ID: <D5342094.84830072@breakawaydistributing.com>
There are numerous threat intel vendors who offer premium services and maintain the
inventory of these malicious actors. Also, there are a few open source threat intel
(https://www.linkedin.com/pulse/8-great-sites-cyber-threat-intel-ely-kahn) sites which
carry information about malicious email actors. So, its always a good idea to compare
the captured email headers to known IOCs to understand if the email was part of a
targeted attack or just general spamming. With email fraud continuing to rise, new ways
of securing attribution (especially by leveraging email threat intelligence) is highly
recommended in addition to your other security practices.
For example, lets say we have an IOC pertaining to a campaign in the form of email IDs,
source addresses etc. Running this against the email headers in an automated way would
help to see if the organizations infrastructure is impacted as well by the same threat
actor/campaign. However, in case of Snow-Shoe campaigns, the spammers use various
source IP Addresses to dilute reputation metrics and evade lters. Threat Intelligence here
can be of great help!
Below is the list of possible IOCs for lookup on collected email header data.
Originating IP Addresses
Attachment Names
Embedded URLs
Subject Line
Display Name
The most frequently spoofed header from eld is the Display Name, for which there is
currently no authentication mechanism available.
While we cant say for certain that these would help in detection, they are really helpful in
drawing in statistics through big data platforms.
Subject elds can be analyzed by the content they include, such as shipping orders
clubbed with a randomly generated number for every spam mail targeting the
organization to evade the lters.
Below are few indicators which can be automated and can be run against the huge header
data collected.
From: eld
Improper capitalization
Domain names that do not match the supposed seller
Unknown senders
To: eld
Multiple recipients
Unrelated recipients
Attachments:
Subject line:
Also, conducting behavioral analysis on data collected with the above parameters could
help you nd the needle in a haystack. There are different data analysis packages
available in Python, R which could help to nd some interesting patterns. Commercial
Security Analytics solutions also could help with the advanced techniques like Linked-
Data Analysis.
Conclusion
Humans are fallible and it is inevitable that at least one person in your organization is
going to open a malicious email.
However, knowing what to do afterwards is as important as knowing how to avoid danger
in the rst place. As a closing note, below are the various ways in combatting email.
Do not trust that any message that you receive is legitimate, treat it with suspicion
(http://info.sqrrl.com/trial-software-vm-1)
(https://sqrrl.com/latest-sqrrl-2-8-release-arms-threat-hunters-with-powerful-new-tools/)
READ MORE
(https://sqrrl.com/latest-sqrrl-2-8-release-arms-threat-hunters-with-powerful-new-tools/)
Next Post
Subscribe to Blog
Browse by Topic
Email Address
Threat Hunting
SUBSCRIBE
Featured Posts
By Sqrrl Team
(/the-nuts-and-bolts-of-
detecting-dns-tunneling/)
Scoping Attacks By
Resources
Following Attacker
Breadcrumbs
Webinar
By Chris Sanders
(/scoping-attacks-by- Threat Hunting for Data
following-attacker-
breadcrumbs/) Staging and Ex ltration
(http://info.sqrrl.com/hunting-
for-data-staging-and-
ex ltration)
The Hunters Den:
Command and Control eBook
Whitepaper
A Framework for Cyber
Threat Hunting Part 2:
Technical Guide: Nuts and
Advanced Persistent
Bolts of Sqrrls Threat
Defense
Hunting Platform
(http://info.sqrrl.com/sqrrl-
By Sqrrl Team product-paper-0)
(/a-framework-for-cyber-
threat-hunting-part-2-
advanced-persistent-
defense/)
By Chris Sanders
(/threat-hunting-for-
command-line-process-
execution/)
Watch Overview
(https://www.youtube.com/watch?
v=VI_zLBc4KQM&t&width=640&height=480)
SQRRL NEWSLETTER
Twitter Feed
Subscribe to our mailing list
(https://twitter.com/SqrrlData) @ (http://www.twitter.com/) 15 Sep
Find out how attackers stage network data to be stolen-- and
how to detect it: https://t.co/F5FRT6nEBO
(https://t.co/F5FRT6nEBO) https://t.co/cimSsb150T
(https://www.facebook.com/SqrrlData)
(https://t.co/cimSsb150T)
@ (http://www.twitter.com/) 15 Sep
Wondering how to start #threathunting
(https://plus.google.com/116795302724746825954/posts)
(https://twitter.com/search?q=%23threathunting&src=hash)?
This SANS paper lays out the essentials:
https://t.co/WgLu1dNR49 (https://t.co/WgLu1dNR49) #SOC
(https://www.linkedin.com/company/sqrrl) (https://twitter.com/search?q=%23SOC&src=hash)
https://t.co/Hc9QRb6Hbo