Analyze Email Headers With OSINT
Email header analysis is a crucial aspect of cybersecurity investigations, allowing professionals to verify the authenticity of email messages, detect phishing attempts, and identify malicious actors. This guide covers the entire process of analyzing email headers and bodies, extracting valuable information, and using various OSINT tools to investigate potential threats.
Step-by-Step Process of Email Analysis
Step 1: Accessing Email Header Data
The first step in email analysis is accessing the raw header data, which contains metadata about the email’s journey from sender to receiver. Here’s how to do it in different email clients:
• Gmail:
1. Open the email and click the three dots (more options) in the top-right corner.
2. Select “Show Original” to view the header data.
3. Copy the entire text.
• Outlook (Web Version):
1. Open the email and click on the three dots next to “Reply” or “Forward.”
2. Select “View message source” and copy the displayed information.
• Apple Mail:
1. Open the email, go to “View” in the top menu, select “Message,” and then “All Headers.”
2. Copy the text.
• Yahoo Mail:
1. Open the email, click on “More,” and select “View Raw Message.”
2. Copy the header information.
Step 2: Analyzing Email Headers with OSINT Tools
After copying the email header, you can use various tools to parse and analyze the data. These tools can help decode the path the email took, identify the sender’s IP address, and detect anomalies. Below are some popular OSINT tools for this purpose:
1. Message Header Analyzer (MHA)
• Website: https://mha.azurewebsites.net/
• Usage: Paste the header into the provided text box and click “Analyze Headers.” MHA will break down each server hop and highlight potential issues, such as suspicious delays or anomalies in server locations.
2. CyberChef
• Website: https://cyberchef.io/
• Usage: Paste the header into CyberChef and use recipes like “Parse Email Headers” to decode the information. CyberChef can also extract URLs from the email body and headers using the “Extract URLs” recipe, making it easier to identify potentially malicious links.
3. Message Header Analysis with Built-in Email Clients
• Tools like Mozilla Thunderbird have built-in capabilities to analyze headers directly, making them useful for users who want an immediate breakdown of header information.
4. Mailheader.org
• Website: https://mailheader.org/
• This tool provides insights into the email’s Message Transfer Agent (MTA), which handles the transfer of emails between servers. It can help identify where delays might have occurred and which MTA may be responsible.
Step 3: Interpreting Information from Email Headers
Email headers contain several key fields that can reveal valuable information about the sender and the route the email took:
1. IP Addresses and Server Locations:
• Use: Look for IP addresses in the “Received” fields, which can reveal the originating server’s location. Use tools like IPinfo.io (https://ipinfo.io/) and Talos Reputation Center (https://talosintelligence.com/reputation) to check the IP’s reputation and geolocation.
• Application: If an email claims to be from a company in the US but the IP points to a different country, this could indicate spoofing.
2. Authentication Results (SPF, DKIM, DMARC):
• Use: Headers like Received-SPF and Authentication-Results can indicate whether the sender’s domain passed or failed SPF, DKIM, and DMARC checks.
• Application: A failed SPF or DKIM check often suggests that the email could be spoofed, which is a common tactic in phishing attempts.
3. From, Reply-To, and Return-Path Discrepancies:
• Use: Compare these fields to see if they match. If the “Reply-To” address differs significantly from the “From” address, it may indicate phishing.
• Application: This can reveal attempts to redirect replies to a different email address controlled by a malicious actor.
Step 4: Extracting and Analyzing URLs from the Email Body
The body of an email can contain embedded links or hidden URLs that may lead to phishing websites or malware downloads. Here’s how to extract and analyze them safely:
1. Extracting URLs:
• Tools:
• URL Extractor: https://www.convertcsv.com/url-extractor.htm allows users to paste the email body and extract URLs.
• CyberChef: Use the “Extract URLs” recipe to automatically parse out all URLs in the body.
• Application: Extracting URLs helps you identify any hidden links that may not be visible in the email’s HTML code.
2. Analyzing URLs and Domains:
• Tools for URL and Domain Reputation:
• URLScan.io: https://urlscan.io/ allows you to analyze URLs safely by providing screenshots and a detailed report of a website’s content without visiting it directly.
• Talos Reputation Center: Useful for checking the safety and history of a URL or domain.
• Safe Viewing: Use archive services like Archive.org or tools like Wannabrowser to view the content of a URL without risking exposure to malicious code.
• Application: Investigate the reputation and past behavior of a URL’s root domain to determine if it is associated with phishing campaigns or known malware.
Step 5: Cross-Referencing IPs, Domains, and Hashes
For a thorough investigation, cross-reference extracted IP addresses, URLs, and file hashes against known threat intelligence databases:
• Talos Reputation Center: Provides data on the reputation and historical behavior of IP addresses and domains.
• URLScan.io: Use this for a detailed analysis of URLs and domains, including their SSL certificates, external resources they load, and other behavioral characteristics.
• IPinfo.io: Offers geolocation data for IPs, useful for verifying the sender’s location.
Summary of Tools and Their Uses
1. Message Header Analyzer (MHA)
• Purpose: Analyze email headers, identify delivery paths, delays, and anomalies.
• Website: https://mha.azurewebsites.net/
2. CyberChef
• Purpose: Extract URLs, decode Base64, analyze headers.
• Website: https://cyberchef.io/
3. Talos Reputation Center
• Purpose: Check IP and domain reputations.
• Website: https://talosintelligence.com/reputation
4. URLScan.io
• Purpose: Analyze URLs safely, view screenshots, and website behaviors.
• Website: https://urlscan.io/
5. IPinfo.io
• Purpose: Geolocation and reputation analysis of IP addresses.
• Website: https://ipinfo.io/
6. URL Extractor
• Purpose: Extract URLs from raw email data.
• Website: https://www.convertcsv.com/url-extractor.htm
Conclusion
By following these steps and using the right tools, you can effectively analyze email headers and body content to trace the origin of an email, identify potentially malicious URLs, and verify the sender’s authenticity. These OSINT methods are essential for investigating phishing attempts, tracking down the source of spam, and ensuring email security. Armed with this knowledge, you can make more informed decisions about handling suspicious emails and protecting your organization from cyber threats.
Excellent reference. Bookmarked for future use!