============================================================
  Email & Phishing Analysis
============================================================

  Analyze suspicious email messages for phishing indicators, malicious attachments, and weaponized links.

────────────────────────────────────────────────────────────

  Step 1: Header Analysis
  Tools: emldump-py, mail-parser
  Parse SMTP headers: emldump.py <email.eml>. Check:
  Received headers (delivery path), Return-Path vs From
  (spoofing), SPF/DKIM results, X-Mailer.

    $ emldump.py message.eml
    $ python3 -c "import mailparser; mail = mailparser.parse_from_file('<email.eml>'); print(mail.subject)"

  Step 2: Attachment Extraction
  Tools: emldump-py, msg-extractor
  Extract attachments: emldump.py <email.eml> -d. For
  MSG format: msg-extractor <email.msg>. List all
  attachments with types and sizes.

    $ emldump.py message.eml
    $ extract_msg <email.msg>

  Step 3: Attachment Triage
  Tools: file, trid, yara, sha256sum
  For each attachment: identify type, compute hash, scan
  with YARA. Route to appropriate workflow: Document
  Analysis (Office/PDF), Static Analysis (PE),
  JavaScript Deobfuscation (JS/HTML).

    $ file specimen.exe
    $ trid document.doc
    $ yara-rules specimen.bin

  Step 4: Link Analysis
  Tools: unfurl
  Extract all URLs from email body and headers. Use
  Unfurl to decompose URLs (reveal tracking pixels,
  redirect chains, encoded parameters).

    $ unfurl parse <url>

  Step 5: Payload Analysis
  Analyze extracted attachments using the appropriate
  workflow. Common patterns: Office doc with macro →
  downloads PE, PDF with link → credential harvester,
  HTML attachment → phishing page.

  Step 6: Document IOCs
  Record: sender address and IP, subject line,
  attachment names and hashes, all URLs, C2/phishing
  domains, email infrastructure (mail server names).

────────────────────────────────────────────────────────────
  Tip: 'fhelp cheat <tool>' for full examples
       'Ctrl+G' for interactive cheatsheet browser
