TomOlawuwo.io: BLUE TEAM LABS PHISHING ANALYSIS.

MY JOURNEY DOING BLUE TEAM LABS PHISHING ANALYSIS.

Hello, and welcome to the first ever Blog, My name is Tom Olawuwo and I am a cybersecurity enthusiast. My goal with this lab is to improve my Phishing Analysis. Today I am challenging myself by completing the "Blue Team Labs Online Phishing Analysis.". I am taking advantage of all the FREE blue team (defensive security) labs I can use.

What is a Phishing attack? This is a type of social engineering attack that focuses on tricking individuals into giving up sensitive information while the attacker acts like a familiar source. Phishing is mostly associated with email attacks, while Smishing (SMS Phishing) is a phishing attack over text and Vishing (Voice Phishing) is a phishing attack over the phone.

I was given a scenario and a phishing email document to investigate.

Blue Teams Lab suggested using Mozilla Thunderbird to open the phishing email so that is exactly what I did.

The investigation started with very basic information like the recipient of the mail, date, time, and the subject of the email. These questions were the more straightforward ones and took minimal time to find thanks to ThunderBird.

Next, I had to find the originating IP address. I found this by downloading a WordPress software called "WordPress ++", From my own research and findings you can use other WordPress apps like UltraEdit, Jedits, Visual Studio Code, and even Notepad if you use Windows OS (the least effective in my opinion). After running my Phishing email through WordPress++ it did not take long for me to find the originating IP address.

Next, I performed a reverse DNS lookup on the IP address with "whois.domaintools.com" and then put in my originating IP address, and that is how I found the resolved host.

Next, I had to find the name of the attached file, the name was "Website contact form submission.eml". Fun fact, the .eml means the file is an electronic mail file.

Now I go back to Mozilla Thunderbird and I am trying to locate the URL in the attachment and the service the webpage is hosted on. The URL is located below and the webpage host is "Blogspot"