Analysis of emails
The most common phishing techniques involve emails. Thus, many investigations in phishing-related attacks are focused on the exchange of emails between attackers and victims. The IR team has to look at the email header and body to unearth key details about the attack. The email header generally contains the addresses of the sender and recipient. The sender's address is of key importance as it can reveal the technique used to deceive the recipient. In many instances, hackers use domains that closely resemble legitimate companies. For instance, an email from [email protected]
and noreply@ṕaypal.com
may look the same to a recipient, but in reality, they are from different domains. In other cases, the senders will spoof the email address, that is, send emails from a different address than the one reported in the header.
Besides the header, the IR team should also look closely at the email body. Many phishers include links to malicious or cloned sites...