[THM] Phishing Emails 1 by TryHackMe

-


Kicking Off

I was really excited to see this module come through on TryHackMe as my early work surrounded email security and I had to largely self teach. I am hoping that I can add in my thoughts from doing BEC investigations over the past few years so that some more context is given to how much damage is done via email year over year. 


As the first module notes, spam and phishing are common in the world of social engineering. Commonly, the threat actors that compromise email accounts are looking to divert funds in some way, utilizing further social engineering skills along with technical skills like spoofing to steal money. 

If it isn't loss of funds, compromised accounts are commonly used to launch spam campaigns (I love the link here from mail chimp because it tells us and threat actors how to bypass mail filters), credential harvesting or Malspam, so that the threat actor can pivot into another account.

Often, we see these compromises turn into data breaches, where the unauthorized actor acquires the data from these accounts to either use in further scams or even in extortion. 

With all that being said, I'll jump now into Task 1 from the first segment. 






Task 1 

This first task is about reading. If you are starting these modules from 0 knowledge on email security I suggest you click all available links on these pages and work your way through the topics. This first task asks you to learn a little more about Spam and Phishing

Q: Read the above and launch the attached VM.
A: No answer needed.





Task 2

Q: Email dates back to what time frame?
A: 1970s

Answers can be found in the links provided in the task, or in the task body itself.





Task 3

Q: What port is classified as Secure Transport for SMTP?
A: 465

Q: What port is classified as Secure Transport for IMAP?
A: 993

Q: What port is classified as Secure Transport for POP3?
A: 995


Answers can be found in the links provided in the task, or in the task body itself.





Task 4

Q: What email header is the same as "Reply-to"?
A: return-path

Q: Once you find the email sender's IP address, where can you retrieve more information about the IP?
A: http://www.arin.net/

Other websites I love for IP identification include:

Answers can be found in the links provided in the task, or in the task body itself.





Task 5 

Q: In the above screenshots, what is the URI of the blocked image?
A: https://i.imgur.com/LSwOtDI.png
Further Hint: The answer here can be found in the HTML code screenshot. 

Q: In the above screenshots, what is the name of the PDF attachment?
A: payment-updateid.pdf
Further Hint: The answer for this can be found in the "Now let's view this attachment within the source code" section.

Q: In the attached virtual machine, view the information in email2.txt and reconstruct the PDF using the base64 data. What is the text within the PDF?
Process follow along:
  • This is the first time I used CyberChef in the modules, specifically, this cocktail: From Base64. Within the sandbox, you can access CyberChef via the Tools folder on the desktop. 
  • I cleaned up what I wanted, if you are needing some help after reading through the body of the task please see this screenshot:
  • After converting it from Base64, you'll need to save the output to a file, saving it as a PDF. 
  • Open this PDF and grab your treasure. 

A: See screenshot above. 





Task 6

Q: What trusted entity is this email masquerading as?
A: Home Depot
Further Hint: Use https://mha.azurewebsites.net and input the From: and Subject: lines in to analyze. There are many great sites that will do header analysis parsing but this Microsoft site will parse just one or a few lines, it does not need the entire header to process the job. 



Q: What is the sender's email?

A: support@teckbe.com



Q: What is the subject line? 
A: Order Placed : Your Order ID OD2321657089291 Placed Successfully



Q: What is the URL link for - CLICK HERE? (Enter the defanged URL)
Process follow along:

  • Locate the URL for the "Click Here" link.
  • Lean on your trusty CyberChef - can you put together the cocktail this time? (see screenshot below for some help).

A: See screenshot above. 





Task 7


Q: What is BEC?
A: Business email compromise (also called account takeover and email account compromise)







There are many reasons to fight the good fight around email security. Please connect with me on LinkedIn to keep up to date!

Popular posts from this blog

[THM] Phishing Emails 2 by TryHackMe

-
Image
We Meet Again This module is all about getting into the actual phishing email header analysis. The biggest suggestion I have here is to get and stay curious about the oddities coming into your mailbox. Do header analysis on all those weird enhancement emails and pay close attention in the next upcoming module on how to handle potential malicious payloads so you learn the best way to open attachments and links.  But let's dig into this module first.
Read more