# Email & Phishing Analysis
> Analyze suspicious email messages for phishing indicators, malicious attachments, and weaponized links.

## Steps

### Step 1: Header Analysis
**Tools:** [[tools/emldump-py|emldump-py]], [[tools/mail-parser|mail-parser]]

Parse SMTP headers: emldump.py <email.eml>. Check: Received headers (delivery path), Return-Path vs From (spoofing), SPF/DKIM results, X-Mailer.

```bash
emldump.py message.eml
python3 -c "import mailparser; mail = mailparser.parse_from_file('<email.eml>'); print(mail.subject)"
```

### Step 2: Attachment Extraction
**Tools:** [[tools/emldump-py|emldump-py]], [[tools/msg-extractor|msg-extractor]]

Extract attachments: emldump.py <email.eml> -d. For MSG format: msg-extractor <email.msg>. List all attachments with types and sizes.

```bash
emldump.py message.eml
extract_msg <email.msg>
```

### Step 3: Attachment Triage
**Tools:** [[tools/file|file]], [[tools/trid|trid]], [[tools/yara|yara]], [[tools/sha256sum|sha256sum]]

For each attachment: identify type, compute hash, scan with YARA. Route to appropriate workflow: Document Analysis (Office/PDF), Static Analysis (PE), JavaScript Deobfuscation (JS/HTML).

```bash
file specimen.exe
trid document.doc
yara-rules specimen.bin
```

### Step 4: Link Analysis
**Tools:** [[tools/unfurl|unfurl]]

Extract all URLs from email body and headers. Use Unfurl to decompose URLs (reveal tracking pixels, redirect chains, encoded parameters).

```bash
unfurl parse <url>
```

### Step 5: Payload Analysis

Analyze extracted attachments using the appropriate workflow. Common patterns: Office doc with macro → downloads PE, PDF with link → credential harvester, HTML attachment → phishing page.

### Step 6: Document IOCs

Record: sender address and IP, subject line, attachment names and hashes, all URLs, C2/phishing domains, email infrastructure (mail server names).

#email #phishing #eml #msg #attachments #headers #workflow