Scribd
Upload
157 views

Email Hunting and Detection Cheat Sheet

This document provides a cheat sheet for hunting and detecting emails, with techniques for analyzing attributes like sender IP, sender domain, sender address, from address, recipient address, recipient domain, URL info, attachment info, size, and forwarding rules. For each attribute, it describes what techniques can be used to analyze email data and what patterns or values in the analysis may indicate issues like phishing, spoofing, command and control, or data exfiltration that require further investigation. The overall goal is to identify suspicious emails and attributes that warrant additional scrutiny.

Uploaded by

mahdi aghaei
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
157 views

Email Hunting and Detection Cheat Sheet

This document provides a cheat sheet for hunting and detecting emails, with techniques for analyzing attributes like sender IP, sender domain, sender address, from address, recipient address, recipient domain, URL info, attachment info, size, and forwarding rules. For each attribute, it describes what techniques can be used to analyze email data and what patterns or values in the analysis may indicate issues like phishing, spoofing, command and control, or data exfiltration that require further investigation. The overall goal is to identify suspicious emails and attributes that warrant additional scrutiny.

Uploaded by

mahdi aghaei
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 1

Email Hunting and Detection Cheat Sheet

Version 1.0
Mehmet Ergene @Cyb3rMonk

Attribute Technique What to look for


Sender IP Calculate email count by SenderIP- If there are more than 1 IP for the same
SenderDomain and order by SenderDomain and the email count is small for
SenderDomain. If possible, calculate one of the IPs, it may indicate domain spoofing or
email count per SenderIP for each phishing. Exclude known email service provider
SenderDomain. domains like Gmail, Hotmail, Yahoo, etc. Focus on
corporate domains.
Sender Domain Get a list of most used brands in phishing Search emails that come from these lookalike
attacks (vade secure provides top 25). domains. Apply the same technique for your own
Generate lookalike domains of these domain(s).
domains by using dnstwist or any other
tool.
Detect sender domains that are seen for Check the domain age. Newly registered domains
the first time in the environment. may be malicious.
Sender Address Calculate email count per SenderAddress- A high number of inbound and outbound emails
RecipientAddress and RecipientAddress- might indicate C2 over email. A high number of
SenderAddress for the same outbound emails between the same sender and
SenderAddress, RecipientAddress recipient might indicate data exfiltration.
(bidirectional traffic).
From Address Calculate dcount(SenderIP) by 2 different IPs for the same FromAddress may
FromAddress. indicate phishing. Whitelist secondary IPs if the
domain and IP are known.

Recipient Address Calculate email count per SenderAddress- A high number of inbound and outbound emails
RecipientAddress and RecipientAddress- might indicate C2 over email. A high number of
SenderAddress for the same outbound emails between the same sender and
SenderAddress, RecipientAddress recipient might indicate data exfiltration.
(bidirectional traffic).
Recipient Domain Calculate the sum of email size per Higher values may indicate data exfiltration.
RecipientDomain for outbound emails.
URL Info Calculate URL and/or URL Domain count Small values may indicate a spear phishing URL.
for the last 24h. High values may be a phishing or
marketing/spam.
Correlate URL info with other logs. The Follow the guide
guide can be found here.
Attachment Info Attachment info requires pivoting and Follow the guide
correlation. The related guide is here.
Size Calculate the sum of email size per Higher values may indicate data exfiltration.
RecipientAddress or SenderAddress for
outbound emails for the last 24h or
longer.
Forwarding Rules Periodically check forwarding rules in Look for suspicious email addresses. May indicate
mailboxes and gateways. data exfiltration.

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy