[THM] Phishing Emails 1 by TryHackMe
Kicking Off
I was really excited to see this module come through on TryHackMe as my early work surrounded email security and I had to largely self teach. I am hoping that I can add in my thoughts from doing BEC investigations over the past few years so that some more context is given to how much damage is done via email year over year.
As the first module notes, spam and phishing are common in the world of social engineering. Commonly, the threat actors that compromise email accounts are looking to divert funds in some way, utilizing further social engineering skills along with technical skills like spoofing to steal money.
If it isn't loss of funds, compromised accounts are commonly used to launch spam campaigns (I love the link here from mail chimp because it tells us and threat actors how to bypass mail filters), credential harvesting or Malspam, so that the threat actor can pivot into another account.
Often, we see these compromises turn into data breaches, where the unauthorized actor acquires the data from these accounts to either use in further scams or even in extortion.
With all that being said, I'll jump now into Task 1 from the first segment.
Task 1
Task 2
Q: Email dates back to what time frame?A: 1970s
Task 3
Q: What port is classified as Secure Transport for SMTP?A: 465
Q: What port is classified as Secure Transport for IMAP?
A: 993
Q: What port is classified as Secure Transport for POP3?
A: 995
Task 4
A: return-path
Q: Once you find the email sender's IP address, where can you retrieve more information about the IP?
A: http://www.arin.net/
Task 5
A: https://i.imgur.com/LSwOtDI.png
Q: In the above screenshots, what is the name of the PDF attachment?
A: payment-updateid.pdf
Q: In the attached virtual machine, view the information in email2.txt and reconstruct the PDF using the base64 data. What is the text within the PDF?
- This is the first time I used CyberChef in the modules, specifically, this cocktail: From Base64. Within the sandbox, you can access CyberChef via the Tools folder on the desktop.
- I cleaned up what I wanted, if you are needing some help after reading through the body of the task please see this screenshot:
- After converting it from Base64, you'll need to save the output to a file, saving it as a PDF.
- Open this PDF and grab your treasure.
Task 6
Q: What trusted entity is this email masquerading as?A: Home Depot
Q: What is the URL link for - CLICK HERE? (Enter the defanged URL)
Process follow along:
- Locate the URL for the "Click Here" link.
- Lean on your trusty CyberChef - can you put together the cocktail this time? (see screenshot below for some help).
A: See screenshot above.
Task 7
Q: What is BEC?
A: Business email compromise (also called account takeover and email account compromise)