CFS137: Email Header Analysis Lab

Scenario A: The "Project Update"

Received: Mon, 14 Oct 2024 09:15:22 -0500

Status: Pending Analysis

From: Sarah Jenkins <s.jenkins@corp-logistic.com> To: accounting@ourcompany.edu Subject: Q4 Logistics Project Update

Hi Team,

Just sending over the updated timeline for the Q4 logistics overhaul. No action needed right now, just keeping you in the loop. See attached PDF.

Best,
Sarah

RAW HEADERS

From: "Sarah Jenkins" <s.jenkins@corp-logistic.com>
To: "Accounting" <accounting@ourcompany.edu>
Subject: Q4 Logistics Project Update
Date: Mon, 14 Oct 2024 09:15:22 -0500
Message-ID: <CA+8s9s8d7f6g5h4j3k2@mail.corp-logistic.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="000000000000123456"

Investigator's Notebook

1. Compare the 'From' address and the 'Return-Path'. Do they match?

2. What is the status of the SPF and DKIM checks?

Scenario B: The "Suspension Notice"

Received: Tue, 15 Oct 2024 14:20:10 -0500

Flagged: High Priority

From: Security Team <alerts@micr0soft-security-cloud.com> To: student@ourcompany.edu Subject: URGENT: Account Suspended due to Virus

Dear User,

We have detected a trojan on your workstation. Your account access has been revoked.
To restore access, you must download the cleaning tool immediately:

Download SecurityPatch_v2.exe

RAW HEADERS

Return-Path: <bounce-handler@mail-blaster-service.xyz>
Delivered-To: student@ourcompany.edu
Received: from mail-blaster-service.xyz (unknown [198.51.100.22])
    by mx.ourcompany.edu with SMTP id 7g6h5j4k
    for <student@ourcompany.edu>; Tue, 15 Oct 2024 14:20:09 -0500
Authentication-Results: mx.ourcompany.edu;
    spf=pass (mx.ourcompany.edu: domain of bounce-handler@mail-blaster-service.xyz designates 198.51.100.22 as permitted sender);
    dkim=none;
From: "Microsoft Security" <alerts@micr0soft-security-cloud.com>
To: <student@ourcompany.edu>
Subject: URGENT: Account Suspended due to Virus
Date: Tue, 15 Oct 2024 14:20:10 -0500
X-Mailer: MassMailer v4.2
Reply-To: <support@temp-mail.ru>
MIME-Version: 1.0
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: base64

PGh0bWw+Cjxib2R5PgpEZWFyIFVzZXIsPGJyPjxicj4KV2UgaGF2ZSBkZXRlY3RlZCBhIHRy
b2phbiBvbiB5b3VyIHdvcmtzdGF0aW9uLiBZb3VyIGFjY291bnQgYWNjZXNzIGhhcyBiZWVu
IHJldm9rZWQuPGJyPgpUbyByZXN0b3JlIGFjY2VzcywgeW91IG11c3QgZG93bmxvYWQgdGhl
IGNsZWFuaW5nIHRvb2wgaW1tZWRpYXRlbHk6PGJyPjxicj4KPGEgaHJlZj0iaHR0cDovL21h
bGljaW91cy1kb21haW4uY2MvZG93bmxvYWRzL1NlY3VyaXR5UGF0Y2hfdjIuZXhlIj5Eb3du
bG9hZCBTZWN1cml0eVBhdGNoX3YyLmV4ZTwvYT4KPC9ib2R5Pgo8L2h0bWw+

Investigator's Notebook

1. Analyze the "From" domain and the "Return-Path". What do you notice?

2. What kind of attack is this?

3. What is the name of the software used to send the email? (Hint: Check artifacts in the Raw Header)

4. Decode the Base64 content. What is the FULL malicious URL pointing to the .exe?

Hint: Use an online Base64 decoder. Paste the result exactly.

Scenario C: The "Wire Transfer"

Received: Wed, 16 Oct 2024 10:05:01 -0500

Flagged: Suspicious

From: CFO - James Miller <j.miller@trusted-vendor.com> To: accounting@ourcompany.edu Subject: Change of Bank Details for Oct Invoice

Hi Team,

We are switching banks effective immediately. Please do NOT send the October payment to the usual account.

Please update your records to the new account details attached below. This needs to be processed by EOD.

Thanks,
James

RAW HEADERS

Return-Path: <j.miller@trusted-vendor.com>
Delivered-To: accounting@ourcompany.edu
Received: from mail.random-vps-host.net (mail.random-vps-host.net [45.33.22.11])
    by mx.ourcompany.edu with ESMTP id 9k8j7h6g
    for <accounting@ourcompany.edu>; Wed, 16 Oct 2024 10:05:00 -0500
Authentication-Results: mx.ourcompany.edu;
    spf=fail (mx.ourcompany.edu: domain of trusted-vendor.com does not designate 45.33.22.11 as permitted sender) smtp.mailfrom=j.miller@trusted-vendor.com;
    dkim=fail (signature verification failed);
From: "James Miller" <j.miller@trusted-vendor.com>
To: "Accounting" <accounting@ourcompany.edu>
Subject: Change of Bank Details for Oct Invoice
Date: Wed, 16 Oct 2024 10:05:01 -0500
X-Originating-IP: [45.33.22.11]

Investigator's Notebook

1. Look at the SPF Result and the Received: IP.

2. What kind of attack is this?