Email Analysis Investigation Guide

Email Security Platform: Analysis

An email security platform can speed up email analysis by:

Flagging SPF, DKIM, and DMARC failures.
Extracting and scanning email headers, URLs, and attachments for quick threat detection.
Highlighting suspicious indicators such as mismatched sender domains, obfuscated URLs, and malicious attachments.

Most platforms provide a helpful view of email artifacts for quick analysis. However, if certain details are unavailable, refer to the detailed investigation steps below, which cover both basic analysis and manual EML file analysis techniques for examining email headers, links, and attachments.

Step 1: Email Header Analysis (Received, SPF, DKIM, and DMARC)

Received Header - Mail Path Analysis

The Received headers track an email from sender to recipient. Each mail server adds a new Received entry at the top.

Steps to Analyze:

Identify inconsistencies in the mail path (e.g unexpected foreign servers).
Look for mismatched domain registration between the “Received” from IP and the “From” address domain.
Verify time stamps to detect spoofed or delayed emails.
Check if the email originates from a known malicious IP using threat intelligence.

Example of a Legitimate Mail Path:

Received: from mail.senderdomain[.]com (192.168.1[.]1)

by mail.receiverdomain[.]com (10.0.0[.]2)

Example of a Suspicious Mail Path:

Received: from unknownserver[.]xyz (203.0.113[.]50)

by mail.gmail[.]com (10.0.0[.]2)

Red Flags:

Email “From” domain does not match the “Received” server.
Email claims to be from gmail[.]com but was sent via an unknown third-party server.
Email originates from an unexpected IP block or region.

Authentication-Results: SPF, DKIM, DMARC

SPF (Sender Policy Framework)

SPF prevents spoofing by verifying that an email is sent from an authorized mail server.

How to Check SPF:

Look for the Received-SPF field in the email headers.
Common results:
- SPF=Pass - Email originates from an authorized IP.
- SPF=Fail - Sending IP is not authorized to send for the domain.
- SPF=SoftFail - Sending IP is not explicitly authorized, but the email is still accepted.
- SPF=Neutral - No SPF policy defined for the sender domain.
- SPF=None - No SPF record found.

Red Flags:

SPF Fail - Email is likely spoofed.
SPF None - No SPF policy configured, often seen in compromised domains.

DKIM (DomainKeys Identified Mail)

DKIM verifies that an email’s contents were not altered in transit.

Red Flags:

DKIM Fail - Email may have been altered during transit.
DKIM missing - Indicates lack of authentication, common in spoofed emails.

DMARC (Domain-based Message Authentication, Reporting & Conformance)

DMARC enforces SPF and DKIM policies and defines how receivers should handle authentication failures.

Red Flags:

DMARC Fail with =reject - The email should be blocked, indicating possible spoofing.

Step 2: Extract & Analyze URLs

Identify Malicious Links:

Use the email platform’s “Links in body” or URL extraction feature.
Scan suspicious URLs using common OSINT tools:
- VirusTotal
- URLScan.io
- Browserling
- Etc.

Decode Obfuscated URLs:

CyberChef can decode Base64 or JavaScript-obfuscated URLs and more.
QR codes:
- In an EML file, QR code metadata or embedded links can typically be found in the following header fields:
  - Content-Disposition
  - Content-Type
  - Content-Transfer-Encoding
  - Etc.

Example EML view snip with Embedded QR Code: (Ctrl+F)

Content-Type: image/png; name=“qrcode.png”

Content-Disposition: inline; filename=“qrcode.png”

Content-Transfer-Encoding: base64

Content-ID: <qr123@domain.[com]>

X-Attachment-Id: qr123

Red Flags:

URLs contain encoded usernames (common in credential harvesting).
Redirects to an unexpected domain.

Step 3: Investigate Attachments

Email Security Platform:

Use the attachment panel to check File Hash using quick links:
- VirusTotal
- Hybrid Analysis
- Joe Sandbox
- Etc.
Use the “View Attachment” button to visualize the document.

Red Flags:

Login forms, credential requests, or financial transaction prompts.
URLs leading to spoofed login pages.
A mismatch between the file extension and its real signature.
Mismatched fonts, unusual images, distorted ratio, etc.
Interactive links or buttons.

Manually Investigating Attachments Using the .eml File

If the email platform does not extract attachments properly, manually analyzing the .eml file can help verify file integrity and potential obfuscation techniques.

A. Verify File Extensions vs. True File Types

Attackers can disguise file extensions to evade detection. A file named invoice.pdf.exe might appear as a PDF but actually be an executable (.exe).

Red Flags:

If the file signature does not match its extension, it may be disguised or malicious.

B. Decode the File with CyberChef

If the attachment is Base64-encoded, follow these steps to analyze it:

Use EML view.
Locate the “Content-Disposition” header, which references the attachment.
Copy the Base64-encoded string below the header. (See: Example Snippet(EML))
Use CyberChef
Paste the copied Base64.
Apply the following operations:
- From Base64
- To Hex
Compare the first 4 bytes with Gary Kessler’s Database. (See: Step C)

Example Snippet (EML):

Content-Disposition: attachment; filename=“invoice.pdf”

Content-Transfer-Encoding: base64

JVBERi0xLjQKJ…

C. Validate the File Type

Example Analysis:

Decoded Hex Output: 25 50 44 46

Matches a PDF file, confirming legitimacy.

Example File Signatures:

File Type	Bytes (Hex)
PDF	25 50 44 46
ZIP	50 4B 03 04
EXE	4D 5A 90 00
DOCX/XLSX/PPTX	50 4B 03 04

Red Flags:

If the file signature does not match its extension, it may be disguised or malicious.

Step 4: Investigate Sender Domain

WHOIS Lookup:

Check domain age & registrar.
Look for suspicious name servers.
Tools:
- WHOIS Lookup
- Etc.

Check Domain Reputation:

Talos Intelligence
AbuseIPDB
Etc.

Red Flags:

Newly registered domain (<30 days).
Privacy-protected WHOIS info.
Unusual redirects.
Suspicious Captchas
Uses free or unknown DNS providers.