============================================================ Email & Phishing Analysis ============================================================ Analyze suspicious email messages for phishing indicators, malicious attachments, and weaponized links. ──────────────────────────────────────────────────────────── Step 1: Header Analysis Tools: emldump-py, mail-parser Parse SMTP headers: emldump.py . Check: Received headers (delivery path), Return-Path vs From (spoofing), SPF/DKIM results, X-Mailer. $ emldump.py message.eml $ python3 -c "import mailparser; mail = mailparser.parse_from_file(''); print(mail.subject)" Step 2: Attachment Extraction Tools: emldump-py, msg-extractor Extract attachments: emldump.py -d. For MSG format: msg-extractor . List all attachments with types and sizes. $ emldump.py message.eml $ extract_msg Step 3: Attachment Triage Tools: file, trid, yara, sha256sum For each attachment: identify type, compute hash, scan with YARA. Route to appropriate workflow: Document Analysis (Office/PDF), Static Analysis (PE), JavaScript Deobfuscation (JS/HTML). $ file specimen.exe $ trid document.doc $ yara-rules specimen.bin Step 4: Link Analysis Tools: unfurl Extract all URLs from email body and headers. Use Unfurl to decompose URLs (reveal tracking pixels, redirect chains, encoded parameters). $ unfurl parse Step 5: Payload Analysis Analyze extracted attachments using the appropriate workflow. Common patterns: Office doc with macro → downloads PE, PDF with link → credential harvester, HTML attachment → phishing page. Step 6: Document IOCs Record: sender address and IP, subject line, attachment names and hashes, all URLs, C2/phishing domains, email infrastructure (mail server names). ──────────────────────────────────────────────────────────── Tip: 'fhelp cheat ' for full examples 'Ctrl+G' for interactive cheatsheet browser