Have you ever gotten an email from someone with a message saying “Please see attached,” “Past due notice,” or, my favorite, “Invoice #” and wondered if you should click on that link? Or perhaps that link just looks odd and you want to be sure if it’s safe before clicking it? At Hurricane Labs, we see these types of things frequently.
In this post, I will discuss a few strategies and tools I utilize when investigating those links to determine if they are legitimate or malicious.
My OSINT background
I have been interested in OSINT (Open Source Intelligence) since I first learned about it. I participated in a TraceLabs OSINT Global Missing Persons CTF–with a team of amazing individuals from whom I learned so much–to put those skills to good use in helping locate missing persons. Working at Hurricane Labs, I have been able to utilize those OSINT skills to investigate alerts instead of trying to track down people.
At Hurricane Labs, we get alerts for phishing on a daily basis, and our job is to investigate their legitimacy. Like playing the OSINT CTF, I have a couple tools that I consider my “go to” and use them for every investigation. Being interested in OSINT, I prefer to have tools that are open source and/or free to use because I believe that having these types of resources is important for the community. It removes the paywall and empowers everyone to be better able to hunt the threats that are continuously changing, better enabling everyone to have a chance at defending themselves.
Without further ado, here is an overview of how I utilize OSINT tools to investigate phishing alerts to better keep organizations safe.
When I get an alert for a phishing attempt, my normal process is to first go through Splunk and determine the main points of information to start investigating the alert. For example: I’ll look at who received/sent the email, the subject/content of the email, the link that was sent, and the sender’s communication history (i.e. did this person previously send emails to others in the organization). Even before looking at the link, Splunk helps me see clues on the legitimacy of the email and identify issues when information doesn’t add up.
Once I have the necessary information regarding the email sender and link, my next stop is using our in-house tool, Machinae. Machinae is an excellent tool where I put in the questionable domain, IP address, or link, and it pulls from a variety of sources to let me know who the domain is registered to and if it’s been seen as malicious or not. Oftentimes I will run the sender’s domain and IP to see if they are a legitimate company and where the sender is geo-located. Though the IP geo-location does not provide definitive proof of the sender being malicious or not, it does help with further investigations.
Next I pivot over to URLscan. This handy tool allows you to look up the links in the email. The results will come back with a lot of information that is valuable for the investigation. The results will give you what link you looked up to what it resolved to (sometimes they can be very different). Most times, URLscan will come back with a snippet of what the link page looks like, so you can see what the page looks like without going to the actual page. URLscan will display the link you put in, the address that it resolved to, as well as anything malicious that they find. Oftentimes the picture, or lack of one, drives me to use another tool for further investigation.
For when I really want to see where a link goes–and when either URLscan’s picture shows something that doesn’t look right or nothing at all–I use Any.Run. Any.Run is an interactive malware hunting service that allows you to run the link in a sandbox–so you can learn what it does or where it goes. A lot of times, the initial link comes across as a link to a document which then redirects the user to a credential-harvesting Microsoft login page. In these cases, Any.Run is imperative in the investigation as it allows me to fully see the entire process from start to finish on where that link takes a user.
Based on the results of the aforementioned tools, I am able to let the user know whether or not the link in that email is safe to click on. If it’s malicious, I advise them of all my findings in a ticket, providing links to all of the open source information I gathered. This way, they can block the sender and domain/IP, and no one in their organization will access the malicious site.
Investigating phishing emails is really my favorite type of alerts to work here at Hurricane Labs. In many ways, it’s like playing mini OSINT CTFs throughout the day. My curiosity enjoys investigating where a link goes and if it takes you to another thing to click–and then where does that go, and is there something else there too? Utilizing my curiosity to help defend organizations is really a wonderful thing.