Skip to content
/ Phishing-Analysis Public

Analyzed a real phishing email using Thunderbird, Sublime Text, and CyberChef. Investigated headers, decoded base64, extracted URLs, and identified impersonation to build practical SOC-level phishing detection and analysis skills.

License

MIT license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

prakharvr02/Phishing-Analysis

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
Phishing Analysis Images
Phishing Analysis Images
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

Phishing Analysis: Blue Team Project

Phishing Analysis Scenario

Test your phishing analysis skills by triaging and investigating a recent phishing campaign.

Analysis Tools

We will use the following tools:

  1. Text Editor (Sublime Text)
  2. Mozilla Thunderbird (Email client)
  3. CyberChef (Data decoding tool)

To begin the challenge:

  1. Download the phishing email
  2. Enter the password to access the files

1. What is the sender's email address? (1 point)

Steps:

  • Open the email in Sublime Text
  • Search for From using CTRL+F

Answer: amazon@zyevantoby.cn

2. What is the recipient's email address? (1 point)

Steps:

  • Search for To in Sublime Text

Answer: saintington73@outlook.com

3. What is the subject line of the email? (1 point)

Steps:

  • Search for the Subject field

Answer: Your Account has been locked

4. Which company is the attacker impersonating? (1 point)

Analysis:
The sender's address suggests the attacker is pretending to be Amazon.

Answer: Amazon

5. What is the date and time the email was sent? (Copy directly from the text editor) (1 point)

Steps:

  • Search for the Date field

Answer: Wed, 14 Jul 2021 01:40:32 +0900

6. What is the URL of the main call-to-action button? (1 point)

Warning: Exercise caution - this may be a malicious link

Steps:

  • Right-click the button and select Copy Link Location
  • Alternatively, inspect the email source in Sublime Text

Answer:

https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Famaozn.zzyuchengzhika.cn%2F%3Fmailtoken%3Dsaintington73%40outlook.com&data=04%7C01%7C%7C70072381ba6e49d1d12d08d94632811e%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637618004988892053%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=oPvTW08ASiViZTLfMECsvwDvguT6ODYKPQZNK3203m0%3D&reserved=0

7. What is the first sentence (heading) displayed when viewing the URL with URL2PNG? (1 point)

Answer: This web page could not be loaded.

8. What encoding scheme is used in the main body content? (1 point)

Steps:

  • Search for the Content-Transfer-Encoding field

Answer: Base64

9. What is the URL used to retrieve the company's logo in the email? (1 point)

Steps:

  1. Copy the Base64 content
  2. Decode it in CyberChef
  3. Search for http in the output


Answer:

https://images.squarespace-cdn.com/content/52e2b6d3e4b06446e8bf13ed/1500584238342-OX2L298XVSKF8AO6I3SV/amazon-logo?format=750w&content-type=image%2Fpng

10. What Facebook username appears in one of the URLs? (1 point)

Steps:

  • Search for facebook in the CyberChef output

Answer: amir.boyka.7

About

Analyzed a real phishing email using Thunderbird, Sublime Text, and CyberChef. Investigated headers, decoded base64, extracted URLs, and identified impersonation to build practical SOC-level phishing detection and analysis skills.

Topics

cybersecurity blueteam socanalyst phishinganalysis emailforensics

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published