Avatar of WORKS2011
WORKS2011
Flag for United States of America asked on

Locating the Source of a Phishing Attempt and Email Header Analysis Question

Is it possible to scan the original email header of a forwarded email? When I check the header information from a forwarded phishing attack email it appears it's only analyzing the last hop and not the original. 


It appears someone sent an email from my client's actual email address and does not appear to be a phishing email. As of now, there is no indication how this happened. Has anyone seen anything like this before? 


Ran full scans on all the devices on the network and everything is coming back clean. On-premise exchange server, PDC, professional firewall, 12 WIN10 Pro workstations, everything is patched. 


I did have one person travel to Europe with a laptop and recently just got back. The last time a client traveled overseas there was a substantial amount of attacks after they returned. Very concerning. 

ExchangeEmail ServersCyber Security

Avatar of undefined
Last Comment
WORKS2011

8/22/2022 - Mon
Kimputer

Because emails can take multiple hops, the scanner is probably set to only search for the last hop.
Headers are human readable though, so just read it yourself.

If headers show the email is coming from the source it always came from, then obviously it's sent from there, because the hacker controls the user's Outlook, or has the login credentials to do it from OWA (and obviously deletes his trails from the Sent Items).

Obviously, if someone has the login credentials, no scanner will ever detect it. How can you detect with software, that I got his email user and password from a crumpled up paper in the recycle bin (just an example how a password can be "stolen", if the user would have ever written it down)?

So possibilities:
- Rootkit probably won't be detected by scanners. Try offline scanning as well.
- If login credentials are compromised, log in Office.com and check the account access history (check all IP nrs). Or check your own OWA access logs is there's only on-premise mail server presence.
WORKS2011

ASKER
Appreciate the quick response. I'm checking the email in question from the exchange server using EAC / Delivrey Reports. The compromised email shows up here but it doesn't show up in my clients Outlook sent folder. I find it interesting in the delivery reports search results I can click on emails before and after the compromised email and review the delivery report. However, when I click on the compromised one it asks for my password.
Kimputer

As I said already, any hacker would want to delete their own traces, and finding the mail in your Sent Items is highly unlikely.
Did the user already change the password? May I suggest you try to implement a Multi Factor Authentication solution? https://help.eset.com/esa/30/en-US/
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
David Johnson, CD

if you enter your admin password does is show anything.. many times in a forwarded message it shows information in the text part of the message.
Do you append/prepend a disclaimer on messages received from outside the domain?
ASKER CERTIFIED SOLUTION
Seth Simmons

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
WORKS2011

ASKER
@kimputer, we're using DUO for 2FA and one of the users is also using LastPass. The other person this happened to was in Europe traveling the last two weeks. I still need to scan her laptop and am suspicious if there's something on her computer.

@David, I'll create a new admin account and test. Yes we use a disclaimer. 

@Seth, they sent me the email in an attachment as an EML file. The EML viewer I'm using didn't show much info. 
WORKS2011

ASKER
Can't say for sure what was happening but after creating an alternate admin account I logged in and it appears DUO was running a configuration script. I completed the DUO setup and the below message popped up. Makes me wonder if this email got around DUO somehow. DUO logs don't show anything out of place. 

No sign of this email in the users sent items or any indication on the exchange server that anything is out of place. I am running deep scans including the memory and checking all the AD accounts to make sure no unknown admin accounts were created.

For some reason, I feel IIS was compromised? Thoughts?

Delivery Report for  email@email.com ‎(email@email.com)‎
Submitted
10/25/2021 5:01 AM EXCHANGE
The message was submitted to exchange.domain.local.
Pending
10/25/2021 5:01 AM exchange.domain.local
Message was received by exchange.domain.local from EXCHANGE.domain.local.
Transferred
10/25/2021 5:01 AM exchange.domain.local
The message was successfully handed off to a different email system. This is as far as we can track it.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
WORKS2011

ASKER
David, I found more information to look for after a deep scan came back with a bug, "Generic.Webshell.X.3CAB5A63" and none of the scripting or search words like "load" were in the header information.

Seth, they forwarded me the original email and exactly what I ended up doing. Thanks. 
WORKS2011

ASKER
I"m opening another post to discuss the bug found and what I'm finding out as I research.

Deep scan found: C:\ProgramData\ZING\BcByz\mrmrki.aspx
 Threat Name: Generic.Webshell.X.3CAB5A63
 Final Status: Deleted