adam's notes

Email Malicious Content Analysis

The body of an email uses Multipurpose Internet Mail Extensions (MIME) to support different formats, such as HTML and rich text format (RTF), plus the inclusion of files.

  • binary data is translated to Base64 encoded ASCII text characters

Malicious Payload

A malicious payload is some sort of code implemented within the message body.

  • two main types:
    • Exploit
      • the message data contains scripts or objects that target some vulnerability in the mail client
        • e.g., incorrectly processing RTF or HTML-based messages, image files, or S/MIME digital signatures
      • in some cases, this may be activated by an email client’s preview feature
    • Attachment
      • the message contains a malicious file attachment
      • intend to have user execute or open it
      • attachment may be disguised with formatting tricks such as a double file extension
        • e.g., file.pdf.exe

As with email sender addresses, a link can be composed of a friendly string plus the URL.

Email Signature Block

  • A missing or poorly formatted email signature block is an indicator for a phishing message
  • spear phishing might use a replicated company signature to appear legitimate
  • can be used to embed malicious links and incorrect or hacked contact details

Malicious Attachments

File attachments should be scanned by antimalware at the email gateway and user desktop, or email client to locate and remove these files.

  • yet, malicious file attachments are often undetected by antimalware or groupware detection engines
  • when investigating email attachments,
    • obtain a hash of the attachment
    • compare it to known malicious file hashes
    • if malicious, create a custom detection rule for the file hash

Graph View

Backlinks