docker_file_analysis/data/generated/wiki/workflows/email-analysis-workflow.md

Email & Phishing Analysis

Analyze suspicious email messages for phishing indicators, malicious attachments, and weaponized links.

Steps

Step 1: Header Analysis

Tools: tools/emldump-py, tools/mail-parser

Parse SMTP headers: emldump.py <email.eml>. Check: Received headers (delivery path), Return-Path vs From (spoofing), SPF/DKIM results, X-Mailer.

emldump.py message.eml
python3 -c "import mailparser; mail = mailparser.parse_from_file('<email.eml>'); print(mail.subject)"

Step 2: Attachment Extraction

Tools: tools/emldump-py, tools/msg-extractor

Extract attachments: emldump.py <email.eml> -d. For MSG format: msg-extractor <email.msg>. List all attachments with types and sizes.

emldump.py message.eml
extract_msg <email.msg>

Step 3: Attachment Triage

Tools: tools/file, tools/trid, tools/yara, tools/sha256sum

For each attachment: identify type, compute hash, scan with YARA. Route to appropriate workflow: Document Analysis (Office/PDF), Static Analysis (PE), JavaScript Deobfuscation (JS/HTML).

file specimen.exe
trid document.doc
yara-rules specimen.bin

Step 4: Link Analysis

Tools: tools/unfurl

Extract all URLs from email body and headers. Use Unfurl to decompose URLs (reveal tracking pixels, redirect chains, encoded parameters).

unfurl parse <url>

Step 5: Payload Analysis

Analyze extracted attachments using the appropriate workflow. Common patterns: Office doc with macro → downloads PE, PDF with link → credential harvester, HTML attachment → phishing page.

Step 6: Document IOCs

Record: sender address and IP, subject line, attachment names and hashes, all URLs, C2/phishing domains, email infrastructure (mail server names).

#email #phishing #eml #msg #attachments #headers #workflow