# Phishing Emails 5
#### Just another day as a SOC Analyst..
A Sales Executive at Greenholt PLC received an email that he didn't expect to receive from a customer. He claims that the customer never uses generic greetings such as "Good day" and didn't expect any amount of money to be transferred to his account. The email also contains an attachment that he never requested. He forwarded the email to the SOC (Security Operations Center) department for further investigation.
Investigate the email sample to determine if it is legitimate.
Tip: Open the EML file with Thunderbird.
Deploy the machine attached to this task; it will be visible in the split-screen view once it is ready.
If you don't see a virtual machine load then click the Show Split View button.
```
go to show split view / open challenge.eml with Thunderbird email
```
What is the email's timestamp? (answer format: mm/dd/yyyy hh:mm *06/10/2020 05:58*
Who is the email from? *Mr. James Jackson*
What is his email address? ** What email address will receive a reply to this email? **
```
with thunderbird more view source
X-Originating-IP: [x.x.x.x]
Received: from 10.197.41.148 (EHLO sub.redacted.com) (x.x.x.x)
by mta4212.mail.bf1.yahoo.com with SMTP; Wed, 10 Jun 2020 05:58:54 +0000
Received: from hwsrv-737338.hostwindsdns.com ([192.119.71.157]:51810 helo=mutawamarine.com)
by sub.redacted.com with esmtp (Exim 4.80)
(envelope-from )
```
What is the Originating IP? The answer is NOT in X-Originating-Ip *192.119.71.157*
```
use https://db-ip.com/
and search 192.119.71.157
Address type IPv4
Hostname client-192-119-71-157.hostwindsdns.com
ASN 54290 - HOSTWINDS
ISP Hostwinds LLC.
Connection Hosting
```
Who is the owner of the Originating IP? (Do not include the "." in your answer.) Perform a WHOIS lookup for the name of the organization *Hostwinds LLC*
```
with https://dmarcian.com/spf-survey/
enter domain
mutawamarine.com
survey domain
```
What is the SPF record for the Return-Path domain? *v=spf1 include:spf.protection.outlook.com -all*
```
https://dmarcian.com/dmarc-inspector/
enter domain
mutawamarine.com
survey domain
v=DMARC1; p=quarantine; fo=1
```
What is the DMARC record for the Return-Path domain? *v=DMARC1; p=quarantine; fo=1*
What is the name of the attachment? *SWT\_#09674321\_\_\_\_PDF\_\_.cab*
What is the SHA256 hash of the file attachment? *2e91c533615a9bb8929ac4bb76707b2444597ce063d84a4b33525e25074fff3f*
What is the attachments file size? (Don't forget to add "KB" to your answer, NUM KB) Don't go by the Linux file properties. Obtain the file hash and use an Open Source resource to help you with this.
What is the actual file extension of the attachment? *rar*
\[\[NIS - Linux Part I]]
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://jesusgavancho.gitbook.io/writeups/phishing-emails-5.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.