Email Analysis

Last modified: 2023-09-13


Detecting malware from messages, check if they are phishing.


Email Source Analysis

We can see the email source in each provider or execute the following commands.

open example.xml
strings example.eml

Check the following headers to distinguish whether it is spoofed.


Each value in dkim, spf, dmarc should be pass. If not, the email may be spoofed.


It should match the sender’s email address.


Its value should be pass. If its value is faile, softfail, neutral or none, the email may be spoofed.


Besides, check if the sender displayed name or address match From, Reply-To, Return-Path in headers. However, these header values can be modified by attackers so it could not be relied perfectly.

Be Careful of Fake Reply Message

If the email contains RE: (Regarding) which means replying your message, we need to check that it’s a really reply message. Attacker may impersonate reply message that victim communicated in the past.

Malware Detection in Attached Files

If you got email in which attached suspicious files, you need to investigate them.

  1. View the Message Source

  2. Copy the Attached File's Base64

  3. Change Base64 to SHA256

    sha256sum attached_file.doc
    # or
    sha256sum <base64-string>

    Or there are some useful tools:

  4. Investigate the Hash

    There are some useful tools: