Open in app

Sign in

Write

Sign in

Gaurav Davre
5 min readDec 28, 2022

### 008 Mastering

Email Analysis/

What is Email Analysis?

Email analysis is the process of extracting the email header information to expose the email file details. The email header contains the technical details of the email like sender, recipient, path, return address and attachments. Usually, these details are enough to determine if there is something suspicious/abnormal in the email and decide on further actions on the email, like filtering/quarantining or delivering. This process can be done manually and with the help of tools.

There are two main concerns in email analysis.

  • Security issues: Identifying suspicious/abnormal/malicious patterns in emails.
  • Performance issues: Identifying delivery and delay issues in emails.

For now, we will focus on security concerns on emails, a.k.a. phishing. Before focusing on the hands-on email analysis, you will need to be familiar with the terms “social engineering” and “phishing”.

  • Social engineering: Social engineering is the psychological manipulation of people into performing or divulging information by exploiting weaknesses in human nature. These “weaknesses” can be curiosity, jealousy, greed, kindness, and willingness to help someone.
  • Phishing: Phishing is a sub-section of social engineering delivered through email to trick someone into either revealing personal information and credentials or executing malicious code on their computer.

Phishing emails will usually appear to come from a trusted source, whether that’s a person or a business. They include content that tries to tempt or trick people into downloading software, opening attachments, or following links to a bogus website.

How to Analyse Emails?

Need to know the structure of an email header. Let’s quickly review the email header structure.

Important Email Header Fields for Quick Analysis

Analyzing multiple header fields can be confusing at first glance but starting from the key points will make the analysis process slightly easier. A simple process of email analysis is shown below.

You’ll also need an email header parser tool or configure a text editor to highlight and spot the email header’s details easily. The difference between the raw and parsed views of the email header is shown below.

Note: The below example is demonstrated with the tool:

“Sublime Text”.

You can use Sublime Text to view email files without opening and executing any of the linked attachments/commands. You can view the email file in the text editor using two approaches.

  • Right-click on the sample and open it with Sublime Text.
  • Open Sublime Text and drag & drop the sample into the text editor.

If your file has a “.eml” or “.msg” extension, the sublime text will automatically detect the structure and highlight the header fields for ease of readability. Note that if you are using a “.txt” or any other extension, you will need manually select the highlighting format by using the button located at the lower right corner.

Text editors are helpful in analysis, but there are some tools that can help you to view the email details in a clearer format.

“emlAnalyzer” .

-tool to view the body of the email and analyse the attachments. The emlAnalyzer is a tool designed to parse email headers for a better view and analysis process. The tool can show the headers, body, embedded URLs, plaintext and HTML data, and attachments. The sample usage query is explained below.

Sample usage is shown below.

emlAnalyzer Usage
user@ubuntu$ emlAnalyzer -i Urgent\:.eml --header --html -u --text --extract-all
 ==============
 ||  Header  ||
 ==============
X-Pm-Content-Encryption.....end-to-end
X-Pm-Origin.................internal
Subject.....................Urgent: Blue section is down. Switch to the load share plan!
From........................[REDACTED]
Date........................[REDACTED]
Mime-Version................[REDACTED]
Content-Type................[REDACTED]
To..........................[REDACTED]
X-Attached..................[REDACTED]
Message-Id..................[REDACTED]
X-Pm-Spamscore..............[REDACTED]
Received....................[REDACTED]
X-Original-To...............[REDACTED]
Return-Path.................[REDACTED]
Delivered-To................[REDACTED]
 =========================
 ||  URLs in HTML part  ||
 =========================
[+] No URLs found in the html
 =================
 ||  Plaintext  ||
 =================
[+] Email contains no plaintext
 ============
 ||  HTML  ||
 ============
Dear Elves,.......
 =============================
 ||  Attachment Extracting  ||
 =============================
[+] Attachment [1] "Division_of_........

At this point, there are following checks.

  • Sender and recipient controls
  • Return path control
  • Email server control
  • Message-ID control
  • Spam value control
  • Attachment control (Does the email contains any attachment?)

Additionally, you can use some Open Source Intelligence (OSINT) tools to check email reputation and enrich the findings. Visit the given site below and do a reputation check on the sender address and the address found in the return path.

Here, if you find any suspicious URLs and IP addresses, consider using some OSINT tools for further investigation. While we will focus on using Virustotal and InQuest, having similar and alternative services in the analyst toolbox is worthwhile and advantageous.

After completing the mentioned initial checks, you can continue with body and attachment analysis. Now, let’s focus on analysing the email body and attachments. The sample doesn’t have URLs, only an attachment. You need to compute the value of the file to conduct file-based reputation checks and further your analysis. As shown below, you can use the sha256sum tool/utility to calculate the file’s hash value.


emlAnalyzer Usage
user@ubuntu$ sha256sum Division_of....
0827bb9a....

Once you get the sum of the file, you can go for further analysis using the VirusTotal.

Now, visit the tool website and use the SEARCH option to conduct hash-based file reputation analysis. After receiving the results, you will have multiple sections to discover more about the hash and associated file. Sections are shown below.

  • Search the hash value
  • Click on the BEHAVIOR tab.
  • Analyse the details.

After that, continue on reputation check on InQuest to enrich the gathered data.

Now visit the tool website and use the INDICATOR LOOKUP option to conduct hash-based analysis.

  • Search the hash value
  • Click on the SHA256 hash value highlighted with yellow to view the detailed report.
  • Analyse the file details.

Never directly interact with unknown email attachments outside of an isolated environment.

Email Analysis
Email Analytics
Hacking
Cybersecurity
Investigation
Gaurav Davre

Written by Gaurav Davre

29 Followers

Cybersecurity enthusiast, always welcome to challenges.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams