Real World Phishing Email Analysis | TryHackMe Snapped Phishing Line
Introduction
The article provides an in-depth analysis of a phishing attack case, focusing on real-world techniques. It details how phishing emails, disguised as legitimate communications, trick users into divulging credentials. Through investigating malicious PDF and HTML attachments, phishing kits, and SSL certificates, the article illustrates how attackers lure victims to fake login pages and steal sensitive data. Tools like VirusTotal and open-source intelligence are used to investigate the phishing infrastructure. This article is part of the TryHackMe “Snapped Phishing Line” challenge.
Scenario Overview
As a member of the IT department of SwiftSpend Financial, your task is to investigate a phishing incident reported by multiple employees.
Some have already compromised their credentials.You take on the role of a security analyst, tasked with analyzing phishing emails to extract malicious activity indicators.
Phishing Email Investigation
You begin by examining a phishing email with an attached PDF from a sender, “William McLean.”
The email looks legitimate, stating that it contains a “code for services.” However, the attachment could potentially be malicious, so you investigate it within an isolated virtual machine (VM).
Using VirusTotal, you scan the attachment and find potential threats.
Malicious PDF Analysis
The PDF resembles an Office 365 document, but it includes a suspicious call-to-action (CTA) button that redirects to a phishing page.
You avoid clicking directly on the link and instead copy the URL into a safe browser to investigate further.
The URL points to a suspicious domain, “kroads.buzz,” rather than a legitimate Office 365 site, indicating a phishing attempt.
HTML Email Investigation
Another phishing email is sent to an employee, Zoe Duncan. It contains an HTML attachment that redirects the user to a phishing page.
The analysis shows the HTML page attempts to redirect users to a fake login page to steal credentials.
Discovering the Phishing Kit
Further investigation leads to uncovering the phishing kit used by the attacker, hosted on a compromised server.
The video demonstrates how to analyze the phishing kit archive by downloading and extracting its contents to gather more threat intelligence.
Hashing and VirusTotal Scans
You generate a hash (SHA-256) for the phishing kit and submit it to VirusTotal for analysis, revealing it as a malicious file previously flagged by others.
SSL Certificate and Domain Information
The video explains how to use open-source tools like ThreatBook to gather additional information, including SSL certificates and domain registration data.
Log File Examination
The attacker’s server contains logs of collected information, including IP addresses, user agents, and credentials submitted by victims.
You discover user passwords stored in these logs, revealing details about the phishing campaign’s victims.
Room Answers | TryHackMe Snapped Phishing Line
Room answers can be found here.
