🙌
Writeups
LearningLinkedIn
  • The Great Escape
  • Lookback
  • Outlook NTLM Leak
  • Year of the Fox
  • PS Eclipse
  • Eavesdropper
  • Tony the Tiger
  • Intro to Offensive Security
  • MD2PDF
  • Content Security Policy
  • Agent T
  • Introduction to Flask
  • Atlas
  • Bugged
  • Sigma
  • Intro to Cloud Security
  • Holo
  • CCT2019
  • Opacity
  • Empline
  • Phishing Emails 5
  • BlueTeam
  • Tempest
  • hackerNote
  • Watcher
  • CMesS
  • HA Joker CTF
  • OWASP Top 10 2021
  • Metasploit
  • Oh My WebServer
  • Road
  • Anonymous
  • Ollie
  • Training for New Analyst
  • Tokyo Ghoul
  • Dependency Management
  • KoTH Food CTF
  • Android Malware Analysis
  • Intro To Pwntools
  • AD Certificate Templates
  • CVE 2022 26923
  • Basic Static Analysis
  • Introduction To Honeypots
  • Intro to Pipeline Automation
  • Intro to Containerisation
  • ARP Spoofing
  • Mindgames
  • Brute Force Heroes
  • SQLMAP
  • Insekube
  • TakeOver
  • Boiler CTF
  • GoldenEye
  • Splunk 3
  • Tempus Fugit Durius
  • Warzone 1
  • OWASP API Security Top 10 2
  • Temple
  • AllSignsPoint2Pwnage
  • OWASP API Security Top 10 1
  • Secret Recipe
  • NoNameCTF
  • Binex
  • Jack
  • Tactical Detection
  • Jurassic Park
  • DX1 Liberty Island
  • Brute
  • Biblioteca
  • Napping
  • Kubernetes for Everyone
  • 0day
  • Osiris
  • Set
  • NoSQL injection Basics
  • Warzone 2
  • Atlassian, CVE 2022 26134
  • Jason
  • VulnNet: Roasted
  • VulnNet Internal
  • VulnNet Node
  • Brooklyn Nine Nine
  • Thompson
  • The Cod Caper
  • Neighbour
  • ColddBox Easy
  • Library
  • All in One
  • Poster
  • Gallery
  • Cat Pictures
  • Boogeyman 1
  • Corridor
  • Team
  • Ra 2
  • Advent of Cyber 2022
  • Bookstore
  • Intro to Malware Analysis
  • TheHive Project
  • Velociraptor
  • KAPE
  • Lunizz CTF
  • Linux Forensics
  • DFIR An Introduction
  • Benign
  • Cyborg
  • Year of the rabbit
  • Blaster
  • Easy Peasy
  • Couch
  • Chocolate Factory
  • REmux The Tmux
  • Spring4Shell
  • Dirty Pipe
  • OverlayFS
  • Pwnkit
  • CTF collection Vol.2
  • Gotta Catch'em All!
  • Break Out The Cage
  • Bolt
  • Source
  • AttackerKB
  • Intro to Defensive Security
  • Careers in Cyber
  • OSI Model
  • Packets&Frames
  • Extending Your Network
  • How websites work
  • Putting it all together
  • Operating System Security
  • Network Security
  • Security Operations
  • Network Services
  • Network Services 2
  • Active Directory Basics
  • Attacking Kerberos
  • Subdomain Enumeration
  • Authentication Bypass
  • IDOR
  • File Inclusion
  • Masterminds
  • SSRF
  • Command Injection
  • Cross site Scripting
  • Burp Suite Extender
  • Burp Suite Intruder
  • Surfer
  • Willow
  • Conti
  • Unattended
  • Tardigrade
Powered by GitBook
On this page

Was this helpful?

Phishing Emails 5

PreviousEmplineNextBlueTeam

Last updated 2 years ago

Was this helpful?

Just another day as a SOC Analyst..

A Sales Executive at Greenholt PLC received an email that he didn't expect to receive from a customer. He claims that the customer never uses generic greetings such as "Good day" and didn't expect any amount of money to be transferred to his account. The email also contains an attachment that he never requested. He forwarded the email to the SOC (Security Operations Center) department for further investigation.

Investigate the email sample to determine if it is legitimate.

Tip: Open the EML file with Thunderbird.

Deploy the machine attached to this task; it will be visible in the split-screen view once it is ready.

If you don't see a virtual machine load then click the Show Split View button.

go to show split view / open challenge.eml with Thunderbird email

What is the email's timestamp? (answer format: mm/dd/yyyy hh:mm 06/10/2020 05:58

Who is the email from? Mr. James Jackson

What is his email address? info@mutawamarine.com What email address will receive a reply to this email? info.mutawamarine@mail.com

with thunderbird more view source

X-Originating-IP: [x.x.x.x]
Received: from 10.197.41.148  (EHLO sub.redacted.com) (x.x.x.x)
  by mta4212.mail.bf1.yahoo.com with SMTP; Wed, 10 Jun 2020 05:58:54 +0000
Received: from hwsrv-737338.hostwindsdns.com ([192.119.71.157]:51810 helo=mutawamarine.com)
	by sub.redacted.com with esmtp (Exim 4.80)
	(envelope-from <info@mutawamarine.com>)

What is the Originating IP? The answer is NOT in X-Originating-Ip 192.119.71.157

use https://db-ip.com/
and search 192.119.71.157

Address type	IPv4  
Hostname	client-192-119-71-157.hostwindsdns.com
ASN	54290 - HOSTWINDS
ISP	Hostwinds LLC.
Connection	Hosting

Who is the owner of the Originating IP? (Do not include the "." in your answer.) Perform a WHOIS lookup for the name of the organization Hostwinds LLC

with https://dmarcian.com/spf-survey/

enter domain
mutawamarine.com
survey domain

What is the SPF record for the Return-Path domain? v=spf1 include:spf.protection.outlook.com -all

https://dmarcian.com/dmarc-inspector/
enter domain
mutawamarine.com
survey domain
v=DMARC1; p=quarantine; fo=1

What is the DMARC record for the Return-Path domain? v=DMARC1; p=quarantine; fo=1

What is the name of the attachment? SWT_#09674321____PDF__.cab

What is the SHA256 hash of the file attachment? 2e91c533615a9bb8929ac4bb76707b2444597ce063d84a4b33525e25074fff3f

What is the attachments file size? (Don't forget to add "KB" to your answer, NUM KB) Don't go by the Linux file properties. Obtain the file hash and use an Open Source resource to help you with this.

What is the actual file extension of the attachment? rar

[[NIS - Linux Part I]]