Jasper Alblas
TryHackMe: Phishing Analysis Fundamentals (SOC Level 1)
Welcome to this walkthrough of the Phishing Analysis Fundamentals Room on TryHackMe. In this room we learn about how to analyze phishing attacks. Phishing is a common social engineering attack and is the fraudulent practice of sending emails or other messages purporting to be from reputable companies in order to induce individuals to reveal personal information
Room URL:
https://tryhackme.com/room/phishingemails1tryoe
I am making these walkthroughs to keep myself motivated to learn cyber security, and ensure that I remember the knowledge gained by these challenges on HTB and THM. Join me on learning cyber security. I will try and explain concepts as I go, to differentiate myself from other walkthroughs.
Now, let’s move on! This is going to be a long one!
Table of Contents
Task 1: Introduction
Spam and phishing are both widespread social engineering attacks, but phishing through email is especially dangerous. Spam has been around since the first unsolicited email in 1978 and continues to clutter inboxes today, often as a nuisance but sometimes carrying risks. Phishing, however, is more serious because attackers craft emails designed to trick users into clicking malicious links or downloading harmful attachments. Even with strong, layered defenses in place, a single unsuspecting employee can give attackers access to a corporate network.
Security tools help reduce the number of malicious emails that reach users, but they are not perfect. This is why Security Analysts play a crucial role: they must investigate suspicious emails, determine whether they are malicious or benign, and gather intelligence to update defenses. By analyzing email headers and understanding how messages travel across the Internet, analysts can strengthen protections and prevent similar threats from reaching inboxes in the future. Practical exercises, such as dep.
Questions
Read the task above.
Answer: No answer needed
Task 2: The Email Address
Here’s a concise summary of the passage:
- Ray Tomlinson invented email in the 1970s on ARPANET and popularized the @ symbol.
- An email address consists of:
- User Mailbox (Username) – identifies the recipient.
- @ – separates the mailbox from the domain.
- Domain – like a street name, guiding where the message should go.
- Example: billy@johndoe.com
- Mailbox: billy
- @: separator
- Domain: johndoe.com
- Analogy: The domain is the street, and the mailbox is the house number/name, helping the “postal worker” (email system) deliver messages correctly.
Questions
Email dates back to what time frame?
Easy. 1970s 🙂
Answer: 1970s
Task 3: Email Delivery
Three main protocols make email communication possible:
- SMTP: Handles sending emails from your client to mail servers.
- POP3: Downloads emails from the server to a single device.
- IMAP: Syncs emails across multiple devices by keeping them stored on the server.
POP3 vs IMAP Differences
- POP3
- Emails are downloaded and stored locally.
- Sent messages stay only on the device used.
- Access is limited to that one device.
- Unless “Keep email on server” is enabled, messages are deleted from the server after download.
- IMAP
- Emails remain on the server.
- Sent messages are stored on the server too.
- Messages can be accessed and synced across multiple devices.
How Email Travels
- Compose: Alexa writes an email to Billy and hits send.
- SMTP queries DNS: The sending server asks DNS where to deliver mail for johndoe.com..
- DNS responds: DNS provides the destination mail server info.
- SMTP sends: Alexa’s email is sent across the internet.
- Relays: The email may pass through multiple SMTP servers.
- Destination server: The email arrives at johndoe.com’s SMTP server.
- Stored locally: The email is placed in Billy’s POP3/IMAP server mailbox.
- Client checks: Billy’s email client queries the server for new mail.
- Delivery: Email is downloaded (POP3) or synced (IMAP) to Billy’s device.
Ports
- SMTP: Default port 25 (others like 587 or 465 often used for secure sending).
- POP3: Default port 110 (995 for secure SSL/TLS).
- IMAP: Default port 143 (993 for secure SSL/TLS).
Key Takeaway
- SMTP = Sending
- POP3 = Download to one device
- IMAP = Sync across devices
This flow ensures emails can be reliably sent, routed, and accessed securely across the internet.
Questions
What port is classified as Secure Transport (STARTTLS) for SMTP?
You can find the following 3 answers at the page linked in the room:
https://help.dreamhost.com/hc/en-us/articles/214918038-Email-client-configuration-overview
But for your convenience I wrote them in the above summary. The port used for secure SMTP transport is 587.
Answer: 587
What port is classified as Secure Transport for IMAP?
The port used is 993.
Answer: 993
What port is classified as Secure Transport for POP3?
The POP3 port for secure transport is 995.
Answer: 995
Task 4: Email Headers
Parts of an Email
Every email has two main components:
- Header: Metadata about the email (who sent it, when, through which servers).
- Body: The actual content (plain text or HTML).
Emails follow a standard syntax called the Internet Message Format (IMF).
Key Header Fields
When analyzing suspicious emails, start with the basics:
- From → Sender’s email address.
- Subject → Title of the email.
- Date → When the email was sent.
- To → Recipient’s email address.
These are visible in most email clients.
Raw Email Headers
Looking at the raw header reveals much more detail. It may look intimidating, but focus on important fields:
- X-Originating-IP → Shows the IP address where the email originated.
- SMTP.mailfrom / header.from → Domain the email was sent from (used in authentication checks).
- Reply-To → Address replies will go to (can differ from “From”).
👉 Example: An email might show From: newsletters@ant.anki-tech.com, but the Reply-To is reply@ant.anki-tech.com. This mismatch can be a red flag.
Why Headers Matter
- Attackers often spoof sender addresses to trick recipients.
- IP addresses and domains can help identify suspicious origins.
- Reply-To mismatches may indicate phishing attempts.
Practical Tip
- Different email clients (Yahoo, Gmail, Outlook, etc.) have different steps to view raw headers, but the concept is the same.
- Practice by opening sample
.emlfiles and reviewing headers line by line.
Below is an additional resource from Media Template on how to analyze email headers:
Note: The questions below are based on the Media Template article.
Questions
What email header is the same as “Reply-to”?
To find this answer we need to look at the provided URL:
https://web.archive.org/web/20221219232959/https://mediatemple.net/community/products/all/204643950/understanding-an-email-header
Here it is stated that the Return-Path email header is the one we need:
The email address for return mail. This is the same as “Reply-To:”.
Answer: Return-Path
Once you find the email sender’s IP address, where can you retrieve more information about the IP?
The article once more provides the answer:
Once the email sender’s IP address is found, you can search for it at http://www.arin.net/. You should now be given results letting you know to which ISP (Internet Service Provider) or webhost the IP address belongs. Now, if you are tracking a spam email, you can send a complaint to the owner of the originating IP address. Be sure to include all the headers of the email when filing a complaint.
Answer: http://www.arin.net/.
Task 5: Email Body
Email Body Basics
- The email body is the main content of the message.
- It can be plain text (simple words only) or HTML formatted (allows images, links, and styling).
- HTML makes emails more interactive but also introduces risks (hidden links, embedded code).
Viewing HTML
- Most email clients let you switch between plain text and rendered HTML views.
- Example: In Protonmail, the option is called “View rendered HTML.”
- Each client (Yahoo, Gmail, Outlook, etc.) has slightly different steps.
Attachments in Emails
- Emails can include attachments (PDFs, images, etc.).
- Attachments are defined in the email’s source code with special headers:
- Content-Type → File type (e.g., application/pdf, text/html).
- Content-Disposition → Whether it’s an attachment or inline content.
- Content-Transfer-Encoding → How the file is encoded (e.g., base64).
- Base64 data can be decoded to recover the actual file.
Questions
In the above screenshots, what is the URI of the blocked image?
We need to look at the following screenshot of the email body source code:
Look carefully, and you will find a img tag. Look at the src parameter value and you will see the answer.
Answer: https://i.imgur.com/LSWOtDI.png
In the screenshots above, what is the name of the PDF attachment?
This time, let’s look at this screenshot:
The name of the pdf file is in the top right.
Answer: Payment-updateid.pdf
In the attached virtual machine, view the information in email2.txt and reconstruct the PDF using the base64 data. What is the text within the PDF?
Go ahead and start up the machine on TryHackMe. Now, open up the email2.txt file found on the Desktop in the Email Samples folder. Copy the base64 string. Don’t copy the last line and the header fields.
You can decode the base64 with CyberChef:
https://gchq.github.io/CyberChef/
Use the From Base64 recipe, found at the top of the left menu. Then go ahead and paste the base64 string in the input fields. You should see the PDF file within the output field now, which you should be able to download, but I had problems with it.
Alternatively you can save the base64 in a file and use: base64 -d base64.txt > output.pdf like so:
Anyway, you should have the answer now.
Description for this block. Use this space for describing your block. Any text will do. Description for this block. You can use this space for describing your block.
Answer: THM{BENIGN_PDF_ATTACHMENT}
Task 6: Types of Phishing
Types of Phishing & Malicious Emails
- Spam → Bulk, unsolicited junk mail. Malicious variant = MalSpam.
- Phishing → Pretends to be a trusted entity to steal sensitive info.
- Spear Phishing → Targeted phishing aimed at specific individuals or organizations.
- Whaling → Phishing aimed at high‑level executives (CEO, CFO, etc.).
- Smishing → Phishing via SMS/text messages on mobile devices.
- Vishing → Phishing via voice calls.
Objectives of Phishing
- Harvest credentials (usernames, passwords).
- Gain access to victim’s computer or network.
Common Characteristics of Phishing Emails
- Spoofed sender address (looks like a trusted entity).
- Urgent subject lines (e.g., “Invoice,” “Suspended”).
- HTML body mimics trusted brands (Amazon, Netflix, etc.).
- Poor formatting or grammar (contradicting the “professional” look).
- Generic greetings (“Dear Sir/Madam”).
- Hidden hyperlinks (often shortened to disguise origin).
- Malicious attachments disguised as legitimate documents.
Safe Handling Practices
- Never click suspicious links or attachments accidentally.
- Use defanging to make URLs/emails unclickable before sharing with SOC teams.
- Example:
http://www.suspiciousdomain.com→hxxp[://]www[.]suspiciousdomain[.]com.
- Example:
- Tools like CyberChef can help automate defanging.
Questions
Analyze the email titled email3.eml within the virtual machine and answer the questions below.
Note: Alexa is the victim, and Billy is the analyst assigned to the case. Alexa forwarded the email to Billy for analysis.
What trusted entity is this email masquerading as?
Open the email3.eml file:
As you can see, the email is created so that it looks like it came from Home Depot.
Answer: Home Depot
What is the sender’s email?
The sender’s email is support@teckbe.com.
Answer: support@teckbe.com
What is the subject line?
Another easy one. Just read it from the subject line.
Answer: Order Placed : Your Order ID OD2321657089291 Placed Successfully
What is the website for the CLICK HERE URL in a defanged format? (e.g. https://website.thm)
Copy the url from the email, and go to CyberChef. You can find a defang URL recipe on the left menu:
This makes it safe to share. You will do this defanging a lot in your future career!
Answer: hxxp[://]t[.]teckbe[.]com/p/?j3=EOowFcEwFHl6EOAyFcoUFVTVEchwFHlUFOo6lVTTDcATE7oUE7AUFo==
Task 7: Conclusion
Before ending this room, you should know what BEC (Business Email Compromise) means.
A BEC is when an adversary gains control of an internal employee’s account and then uses the compromised email account to convince other internal employees to perform unauthorized or fraudulent actions.
Tip: You should be familiar with this term. I have heard this question asked before in a job interview.
Within this room, we covered the following:
- What makes up an email address?
- How an email travels from sender to recipient.
- How to view the source code of an email header.
- How to view the source code of an email body.
- Understand the pertinent information we should obtain from an email we’re analyzing.
- Some common techniques attackers use in spam and phishing email campaigns.
In the upcoming Phishing Analysis series, we’ll look at samples of various common techniques used in phishing email campaigns, along with tools to assist us with analyzing an email header and email body.
Next room in this module: Phishing Emails 2
Questions
What is BEC?
The answer is Business Email Compromise.
Answer: Business Email Compromise
Congratulations on completing Phishing Analysis Fundamentals!!!
Congratulations on completing Phishing Analysis Fundamentals. I hope you enjoyed this room. It was pretty basic, but nonetheless so important because phishing affects every on a daily business.
Come back soon for more walkthroughs of rooms on TryHackMe and HackTheBox, and other Cybersecurity discussions.
Find my other TryHackMe SOC Level 1 Path walkthroughs here.
Find my other walkthroughs here.
Like my articles?
You are welcome to comment on this post, or share my post with friends.I would be even more grateful if you support me by buying me a cup of coffee:
I learned a lot through HackTheBox’s Academy. If you want to sign up, you can get extra cubes, and support me in the process, if you use the following link:
[…] Phishing Analysis Fundamentals […]