From Panic Buttons to Payloads: A Technical Deep-Dive into Phishing Email Forensics + Video

Listen to this Post

Featured Image

Introduction:

Every email carries an invisible fingerprint—a detailed log within its headers that chronicles its journey across the internet. While cybercriminals grow increasingly adept at crafting convincing scams, the technical metadata embedded in every message remains their undoing. Mastering email header analysis is a foundational skill for cybersecurity professionals, enabling them to trace an email’s origin, verify its authenticity, and uncover signs of spoofing or malicious intent that bypass standard filters.

Learning Objectives:

  • Understand the critical fields within an email header and their forensic significance.
  • Apply command-line and manual techniques to extract and analyze headers across Linux, Windows, and webmail platforms.
  • Construct a step-by-step investigative workflow to identify phishing attempts, spoofing, and mail server misconfigurations.
  1. Extracting the Digital Fingerprint: How to Obtain Raw Email Headers

Before any analysis can begin, you must extract the full raw headers from the suspicious email. Different email clients require different methods:

Windows (Microsoft Outlook):

1. Open the suspicious email in Outlook.

2. Click File → Properties.

  1. Locate the Internet headers section and copy everything in the field.
  2. Paste the copied headers into a text editor or an online header analyzer.

Gmail (Web Interface):

1. Open the email.

2. Click the three vertical dots (More options).

3. Select “Show original”.

  1. Copy the entire contents of the pop-up window.

Linux / Command Line:

If you have the raw `.eml` file, use the following command to view the first 100 lines containing headers:

cat email.eml | head -1 100

Alternatively, to extract only the header section:

sed -1 '/^$/q;p' email.eml

Thunderbird:

1. Open the email.

2. Click View → Message Source.

3. Copy the complete source including headers.

  1. Reading the Authentication Trinity: SPF, DKIM, and DMARC

Modern email authentication relies on three core technologies that together make spoofing significantly harder. When analyzing headers, you must verify all three:

SPF (Sender Policy Framework): Lists which IP addresses or services are allowed to send mail for a domain.

DKIM (DomainKeys Identified Mail): Uses digital signatures attached to each message so recipients can verify the content was not altered and that the sending domain authorized it.

DMARC (Domain-based Message Authentication, Reporting & Conformance): Tells receiving servers what to do when SPF or DKIM fails.

Step-by-Step Guide:

Step 1: Paste the copied headers into the Microsoft Message Header Analyzer (https://mha.azurewebsites.net/) or MXToolbox Email Header Analyzer.

Step 2: Review the SPF, DKIM, and DMARC lines. Look for the authentication results:
– “Pass” → The email came from the domain listed.
– “Fail” or “SoftFail” → The email is likely spoofed.

Step 3: If SPF or DMARC fails, it is likely spoofing rather than actual account use.

Step 4: Check if the “From” address matches the “Return-Path” —a mismatch is a strong spoofing signal.

Step 5: Verify “Reply-To” vs “From” . If “From” is `[email protected]` but “Reply-To” is [email protected], it is a CEO Fraud attempt.

Linux Command-Line Authentication Check:

To manually verify SPF records using DNS:

dig +short TXT example.com | grep spf

To check DKIM signatures (requires the selector from headers):

dig +short TXT selector._domainkey.example.com

3. Tracing the Route: Analyzing the Received Chain

The sequence of `Received` headers tells the email’s travel story. Each mail transfer agent (MTA) that handles the message adds its own `Received` header at the top. Reading them from bottom to top reveals the journey of the email from its original source to your inbox.

Step-by-Step Guide:

Step 1: Isolate the `Received` lines:

grep -i "received:" email.eml

Step 2: Analyze from the bottom (oldest) entry to the top (most recent). The first `Received` line added by your final mail server; the last line (at the top) is from the originating server.

Step 3: Check IP addresses and hostnames. Use `dig` or `nslookup` to verify if the IP in an early `Received` line actually belongs to the claimed domain:

dig +short mail.suspicious-domain.com

Reverse DNS lookup on an IP from the header:

dig +short -x 192.0.2.100

Step 4: Look for invalid formatting, internal IPs (like 10.x.x.x, 192.168.x.x) in external mail flows—these are major red flags.

Step 5: Verify timestamps—check for unusual time discrepancies between `Date` and `Received` fields.

4. Payload Analysis: URLs, Attachments, and QR Codes

Once headers are analyzed, focus on the weaponized content.

URL Analysis (Links):

Step 1: Right-click the link and select “Copy Hyperlink” . DO NOT CLICK.

Step 2: Paste the URL into URLScan.io (https://urlscan.io) or VirusTotal (https://virustotal.com).

Step 3: Check if the displayed text matches the actual destination. For example, text says “Microsoft Login” but URL is login-update-security.xyz—this is phishing.

Step 4: Examine the domain—look for misspellings, extra words before or after the brand name, or unusual country extensions.

Linux Command-Line URL Analysis:

 Extract URLs from an email file
grep -oP '(https?|ftp)://[^\s<>"]+' email.eml

Check domain reputation using whois
whois suspicious-domain.com | grep -E "Creation Date|Registrar|Name Server"

Attachment Analysis:

Step 1: Save the attachment to a temporary folder.

Step 2: Generate the file hash (SHA256):

sha256sum suspicious_file.exe

On Windows PowerShell:

Get-FileHash -Path suspicious_file.exe -Algorithm SHA256

Step 3: Upload the hash to VirusTotal for multi-engine scanning.

Step 4: Check for dangerous file types—.htm/.html attachments (fake login pages) or `.one` (OneNote) files are common phishing vectors.

QR Code Analysis (“Quishing”):

Step 1: Take a screenshot of the QR code.

Step 2: Upload the image to a desktop QR decoder tool (e.g., `zxing.org` online decoder).

Step 3: Analyze the decoded URL using the steps above.

Never scan a QR code with your personal phone.

5. Automated Analysis: CLI Tools for Security Professionals

For SOC analysts and security researchers, several powerful command-line tools automate phishing email analysis.

PhishSage — CLI Toolkit for Email Phishing Analysis:

PhishSage parses raw `.eml` files and runs heuristic checks against headers, links, and attachments.

Installation:

pip install phishsage

Header Analysis:

phishsage headers -f email.eml --heuristics --enrich all --json -o results.json

Link Analysis with Heuristics:

phishsage links -f email.eml --heuristics --enrich virustotal redirects

Attachment Analysis:

phishsage attachments -f email.eml --enrich virustotal

WhoDAT — InfoSec Analyzer:

WhoDAT is a GUI-based tool that analyzes emails, URLs, headers, IPs, and attachments using free APIs.

Installation:

git clone https://github.com/calinux-py/WhoDAT.git
cd WhoDAT
pip install -r requirements.txt
python whodat.py

Configure API keys in `config/config.ini` for VirusTotal, Google Safe Browsing, URLScan, and OpenAI.

Email Header Analyzer (Web-Based):

For quick analysis, use:

  • Microsoft Message Header Analyzer: https://mha.azurewebsites.net
  • MXToolbox Email Headers Analyzer: https://mxtoolbox.com/EmailHeaders.aspx
  • Trustifi Email Analyzer: Paste full headers for a guided breakdown

6. Remediation and Incident Response

When a phishing email is confirmed, follow these steps:

Step 1: Search and Purge (Zero-hour Auto Purge – ZAP)
– Microsoft Defender Portal → Explorer
– Filter by Sender Address, Subject, or File Hash
– Select all → Actions → Soft Delete or Hard Delete

Step 2: Block the Sender

  • Defender Portal → Policies & Rules → Threat Policies → Tenant Allow/Block Lists
  • Add sender domain or address to Block list

Step 3: Submit to Microsoft

  • Defender Portal → Actions & Submissions → Submissions → Email

Step 4: Verify User Context

  • Ask the user: “Did you click any links or open any attachments?”
  • If Yes → Initiate the Compromised Endpoint SOP immediately

Step 5: Check Internal Sender Trap

  • If the sender is internal, SPF/DKIM will PASS even if the account is compromised
  • Check recent login logs for impossible travel or unusual IPs

7. Building a Security-Aware Culture

Technical controls alone are insufficient. Organizations must build human resilience.

Key Practices:

Make training regular, not one-and-done. Phishing simulations — where users who fail are sent into training mode — are widely considered a best practice.

Use real phishing examples and run simulated attacks. Create a culture where employees feel comfortable reporting suspicious emails.

Share lessons with the entire group, not just those who got duped—this helps people recognize scams more effectively.

Implement or tighten DMARC policy (e.g., from `p=none` to `p=quarantine` or p=reject) to mitigate spoofing.

Enforce Multi-Factor Authentication (MFA) for all users.

What Undercode Say:

  • Key Takeaway 1: Email headers are the digital fingerprint that exposes every phishing attempt. Mastering header analysis transforms security professionals from passive recipients to active investigators who can trace an email’s origin and verify its authenticity with forensic precision.

  • Key Takeaway 2: Authentication protocols—SPF, DKIM, and DMARC—are the technical backbone of email security. When these fail or are misconfigured, organizations become vulnerable to spoofing and impersonation attacks that bypass even the most sophisticated filters.

Analysis:

The phishing landscape is evolving rapidly. Attackers are leveraging AI to craft grammatically flawless emails, bypassing traditional red flags like spelling errors. However, the technical metadata—the headers—remains immune to AI improvement. Every forged email still leaves a forensic trail that can be uncovered through systematic analysis. The rise of “quishing” (QR code phishing) represents a new frontier, as QR codes bypass text-based scanners and endpoint detection. Security teams must adapt by incorporating QR code analysis into their workflows and training employees to treat QR codes with the same suspicion as traditional links. The most effective defense combines technical rigor with human vigilance—automated tools catch the obvious, but trained eyes catch the sophisticated.

Prediction:

  • +1 As AI-generated phishing becomes indistinguishable from legitimate communications, email header analysis will emerge as the primary forensic differentiator—a skill that AI cannot replicate and attackers cannot forge.
  • +1 The adoption of DMARC enforcement policies (p=reject) will accelerate dramatically in 2026-2027, driven by regulatory pressure and the realization that spoofing protection is no longer optional.
  • +1 CLI-based forensic tools like PhishSage and WhoDAT will become standard equipment for SOC analysts, replacing manual header parsing with automated, repeatable workflows.
  • -1 The proliferation of QR code phishing (“quishing”) will outpace detection capabilities in 2026, as most email security filters still lack native QR code analysis.
  • -1 Small and medium businesses will remain disproportionately vulnerable due to limited IT resources and the misconception that “we’re too small to be targeted” — despite attackers specifically targeting these organizations as entry points to larger supply chains.

▶️ Related Video (84% Match):

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

IT/Security Reporter URL:

Reported By: Skyviewtek Cybersecurity – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky