Phishing - The Greenholt Phish

Phishing Email, malicious attachment inspection

By Ren Sie
Posted on October 3, 2024

Refer to The Greenholt Phish for the challenge room on TryHackMe

Scenario

A Sales Executive at Greenholt PLC received an unexpected email from a customer. He noted that the customer typically does not use generic greetings like "Good day" and that he was not expecting any money to be transferred to his account. Additionally, the email contained an attachment that he had not requested. He forwarded the email to the Security Operations Center (SOC) for further investigation.

Task

Investigate the email sample (challenge.eml) to determine its legitimacy.
Open the EML file using Thunderbird. Right-click on the challenge.eml file, select "Open With," and then choose "Other Application." Scroll down to select "Thunderbird Mail" and click "Open."

What is the Transfer Reference Number listed in the email's Subject?
The Transfer Reference Number can be found in the email content.

Who is the email from?
The sender can be found in the email content.

What is his email address?
The sender's address can be found in the email's header.

What email address will receive a reply to this email?
The Reply-To address can be found in the email's header.

What is the Originating IP?
To discover the IP address, we need to view the source. Click on "More", then "View Source"

In the header, the value of X-Originating-Ip is invalid. But I was able to spot the IP address of the server that sent the email to the next server from "Received: from hwsrv-737338.hostwindsdns.com ([xxx.xxx.xx.xxx]:51810 helo=mutawamarine.com)"

Who is the owner of the Originating IP?
To identify the organization that owns the IP address mentioned in the previous question, look up the IP address using a WHOIS service.

What is the SPF record for the Return-Path domain?
Since the question mentioned the Return-Path domain (mutawamarine[.]com), we will use SPF Surveyor to look up its SPF record. The result shows that there is one and only one SPF record.

Note: The record indicates that the domain (mutawamarine[.]com) authorizes mail sent from servers listed in the spf.protection.outlook.com SPF record to send emails on its behalf. The -all directive means that emails sent from any other servers should be rejected.

What is the DMARC record for the Return-Path domain?
To check the DMARC record, we will use the DMARC Domain Checker.

Note: This record specifies that emails failing DMARC checks should be quarantined. The fo=1 setting indicates that a failure report should be generated if either SPF or DKIM fails.

What is the name of the attachment?
The name of the attachment can be obtained from the content of the mail or search for (CTRL+F) " attachment" in the source.

What is the SHA256 hash of the file attachment?
Return to the original email and save the attachment. Make sure not to open it, as we cannot confirm whether it is malicious.

Open the terminal in the directory where the file is saved and run the following command to retrieve the SHA256 hash value.

sha256 <filename>

What is the attachments file size?
Once we have the hash value, enter it into VirusTotal. We will be able to get the results from there.

What is the actual file extension of the attachment?
The file extension is displayed in the previous screenshot.

Share: X (Twitter) Facebook LinkedIn