We all love our security solutions. We love our malware scanners and spam filters. We love the folks in the SecOps department that keep the baddies out of our hair and protect us from ourselves. But we also love peeking behind the curtain once in a while. It’s risky but, if done with care and caution, can be very educational. What follows is a brief series of steps I recently took when attempting to determine if a legitimate-looking email was as harmless as it appeared.
On the morning of January 14th, I found a new email in my company inbox. It was ostensibly from eFax alerting me to a newly arrived fax. The ‘from’ address was firstname.lastname@example.org, which seemed consistent with a legitimate eFax notification. The text of the email was well written and contained no links. So far so good…but there were a few things about this message that prompted me to look deeper before opening the attachment.
- The attachment on the email ended with ‘EML’. That’s the format used by many email clients (including Outlook) when saving an email to a file. So they attached an email to another email.
- The ‘Scan Date’ in the message didn’t jive. The email notification arrived nearly 8 hours after the message was supposedly ‘scanned’ (if eFax really got something for me at 08:16 GMT, it should have arrived in my inbox only moments later (i.e. shortly after midnight PST).
- I do not have an eFax account and was not expecting anything from them.
Step One: Isolate the File
Don't Touch My Stuff
I wanted to keep whatever this way away the files on computer, but I don’t exactly have a Hyper-V hosts sitting next to me (well, I actually do but didn’t bother using it for this). But, since I am running Windows 10 on a reasonably new laptop with lots of available storage, I was able to quickly create a simple virtual machine to act as a semi-isolated testing environment. That would suffice for this level of investigation. I would need a far higher level of isolation if I were dealing with a more dangerous file type (e.g. EXE).
Anyway, once I had my VM up and running, I opened Outlook in a browser (Outlook Online) and saved the file to the VM hard drive. It wasn’t flagged by any of the antivirus scans (there would have been at least three between Office 365 and the VM desktop). Then I turned off all network connectivity to the VM and worked directly from the Hyper-V console. Perhaps I was just being paranoid. Then again, if you have ever read Catch 22 you know that isn’t always a bad thing.
So I have my EML file saved and ready for inspection. Now what?
Step Two: Inspect (do not open!) the File
See How Sausage is Made
I needed a place where I could open this file that had zero chance of “doing” anything – an EML file can contain lots of HTML and I need to know what’s in there before opening in any kind of active state. When I need such a tool, my go-to solution is Notepad++.
Since the default for opening an EML file is an email client, I couldn’t just double-click on the icon. Thankfully,
Notepad++ has this handy featurewhere right-clicking on any file lists a ‘Open with Notepad++’ option. So I went that route and opened the EML file in Notepad++. Since I was looking for kind of clickable link, I used this simple regular expression to find anything resembling one: <a\shref=”.+”>
That regex took me to line #236 in the EML file. There I found a bit.ly URL (bitly is a commonly used free URL shortening service). So there was a clickable link after all. Not in the email, but in the email attached to the email. Sneaky…
Step Three: Tread Lightly
Don't Kill the Cat
So this is where the whole ‘morbidly curious’ things comes in. Any normal person would be happy they dodged a bullet and moved on with their lives. Well, truth be told, I think any normal person wouldn’t have even bothered to verify the attachment before opening it. The point is, I am not a normal person and since you have read this far in the blog post, you probably aren’t all that normal either. Anyway, let’s move on.
….it seems the dutiful admins at bit.ly had beaten me to it. Go them!
But, if you look really close, there in the browser address bar, the actual URL is revealed (secdl (dot) us)*. Bitly has the option to ‘continue at your own risk’ to that URL. Why is that important, you ask? Glad you asked.
In the off chance that there are still a few people out there who don’t keep the entire catalog of malware in their heads at all times, “SecDl-A” is a known Trojan and will infect your computer with nastyware if you download it. Seems counterintuitive for a malware distributor to create a URL openly stating the name of said malware, but whatever I guess. The point to take away here is: This “eFax Notification” was in fact a million percent a phishing email and not from eFax. But, what about that last link? Where does that go? Calm down there cowboy…I am getting to that.
Well, not really. You see, while I am morbidly curious and a bit on the abnormal side, I am not a complete moron. Isolated system or not, there was no way I was going to click on that link.
This was the end of my journey with this particular email. May all your DIY cybersecurity adventures go as smoothly!