Email Analysis
Detecting malware from messages, check if they are phishing.
Last updated
Detecting malware from messages, check if they are phishing.
Last updated
Analyses message header of email. It helps to check the phishing emails.
Combines threat intelligence, OSINT, email metadata and battle tested auto-analysis pathways into one powerful phishing response platform.
Paste the sender’s email address to check if the address is suspicious.
We can see the email source in each provider or execute the following commands.
Check the following headers to distinguish whether it is spoofed.
Each value in dkim, spf, dmarc should be pass. If not, the email may be spoofed.
It should match the sender’s email address.
Its value should be pass. If its value is faile, softfail, neutral or none, the email may be spoofed.
Besides, check if the sender displayed name or address match From, Reply-To, Return-Path in headers. However, these header values can be modified by attackers so it could not be relied perfectly.
To confirm if these records exist in a domain, use dig command. If not exist, the domain may be spoofed, or may be categorized spam by some email providers.
To check DKIM record, we need to specify the DKIM selector. It can be found in s= header value of dkim section in email header such as Authentication-Results. For example,
In this case, we execute dig [s1234.example.com](http://s1234.example.com) txt .
If the email contains RE: (Regarding) which means replying your message, we need to check that it’s a really reply message. Attacker may impersonate reply message that victim communicated in the past.
If you got email in which attached suspicious files, you need to investigate them.
View the Message Source
Copy the Attached File's Base64
Change Base64 to SHA256
Or there are some useful tools:
Investigate the Hash
There are some useful tools:
Also we can check that using online tools such as .
is useful to change the cipher.