Link to home
Start Free TrialLog in
Avatar of WORKS2011
WORKS2011Flag for United States of America

asked on

Locating the Source of a Phishing Attempt and Email Header Analysis Question

Is it possible to scan the original email header of a forwarded email? When I check the header information from a forwarded phishing attack email it appears it's only analyzing the last hop and not the original. 

It appears someone sent an email from my client's actual email address and does not appear to be a phishing email. As of now, there is no indication how this happened. Has anyone seen anything like this before? 

Ran full scans on all the devices on the network and everything is coming back clean. On-premise exchange server, PDC, professional firewall, 12 WIN10 Pro workstations, everything is patched. 

I did have one person travel to Europe with a laptop and recently just got back. The last time a client traveled overseas there was a substantial amount of attacks after they returned. Very concerning. 

Avatar of Kimputer

Because emails can take multiple hops, the scanner is probably set to only search for the last hop.
Headers are human readable though, so just read it yourself.

If headers show the email is coming from the source it always came from, then obviously it's sent from there, because the hacker controls the user's Outlook, or has the login credentials to do it from OWA (and obviously deletes his trails from the Sent Items).

Obviously, if someone has the login credentials, no scanner will ever detect it. How can you detect with software, that I got his email user and password from a crumpled up paper in the recycle bin (just an example how a password can be "stolen", if the user would have ever written it down)?

So possibilities:
- Rootkit probably won't be detected by scanners. Try offline scanning as well.
- If login credentials are compromised, log in and check the account access history (check all IP nrs). Or check your own OWA access logs is there's only on-premise mail server presence.
Avatar of WORKS2011


Appreciate the quick response. I'm checking the email in question from the exchange server using EAC / Delivrey Reports. The compromised email shows up here but it doesn't show up in my clients Outlook sent folder. I find it interesting in the delivery reports search results I can click on emails before and after the compromised email and review the delivery report. However, when I click on the compromised one it asks for my password.
As I said already, any hacker would want to delete their own traces, and finding the mail in your Sent Items is highly unlikely.
Did the user already change the password? May I suggest you try to implement a Multi Factor Authentication solution?
if you enter your admin password does is show anything.. many times in a forwarded message it shows information in the text part of the message.
Do you append/prepend a disclaimer on messages received from outside the domain?
Avatar of Seth Simmons
Seth Simmons
Flag of United States of America image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
@kimputer, we're using DUO for 2FA and one of the users is also using LastPass. The other person this happened to was in Europe traveling the last two weeks. I still need to scan her laptop and am suspicious if there's something on her computer.

@David, I'll create a new admin account and test. Yes we use a disclaimer. 

@Seth, they sent me the email in an attachment as an EML file. The EML viewer I'm using didn't show much info. 
Can't say for sure what was happening but after creating an alternate admin account I logged in and it appears DUO was running a configuration script. I completed the DUO setup and the below message popped up. Makes me wonder if this email got around DUO somehow. DUO logs don't show anything out of place. 

No sign of this email in the users sent items or any indication on the exchange server that anything is out of place. I am running deep scans including the memory and checking all the AD accounts to make sure no unknown admin accounts were created.

For some reason, I feel IIS was compromised? Thoughts?

Delivery Report for ‎(‎
10/25/2021 5:01 AM EXCHANGE
The message was submitted to exchange.domain.local.
10/25/2021 5:01 AM exchange.domain.local
Message was received by exchange.domain.local from EXCHANGE.domain.local.
10/25/2021 5:01 AM exchange.domain.local
The message was successfully handed off to a different email system. This is as far as we can track it.
David, I found more information to look for after a deep scan came back with a bug, "Generic.Webshell.X.3CAB5A63" and none of the scripting or search words like "load" were in the header information.

Seth, they forwarded me the original email and exactly what I ended up doing. Thanks. 
I"m opening another post to discuss the bug found and what I'm finding out as I research.

Deep scan found: C:\ProgramData\ZING\BcByz\mrmrki.aspx
 Threat Name: Generic.Webshell.X.3CAB5A63
 Final Status: Deleted