TryHackMe: Phishing Emails in Action (SOC Level 1)

Welcome to this walkthrough of the Phishing Emails in Action Room on TryHackMe. In this room we get more hands-on with phishing emails! Learn the different indicators of phishing attempts by examining actual phishing emails.

Room URL:
https://tryhackme.com/room/phishingemails2rytmuv

I am making these walkthroughs to keep myself motivated to learn cyber security, and ensure that I remember the knowledge gained by these challenges on HTB and THM. Join me on learning cyber security. I will try and explain concepts as I go, to differentiate myself from other walkthroughs.

Task 1: Introduction

Now that we covered the basics concerning emails in Phishing Emails 1, let’s dive right into actual phishing email samples. 

Each email sample showcased in this room will demonstrate different tactics used to make the phishing emails look legitimate. The more convincing the phishing email appears, the higher the chances the recipient will click on a malicious link, download and execute the malicious file, or even send the prince of some country a wire transfer. 

Warning: The samples throughout this room contain information from actual spam and/or phishing emails. Proceed with caution if you attempt to interact with any IP, domain, attachment, etc.

Questions

Read the above.

Answer: No answer needed

Task 2: Cancel your PayPal order

Here are the main points of the email investigation in the THM room:

  • Techniques used in the email:
    • Spoofed sender address
    • URL shortening services
    • HTML mimicking a legitimate brand (PayPal)
  • Red flags in the email:
    • Recipient address doesn’t match the actual Yahoo account.
    • Sender name claims to be PayPal (service@paypal.com) but the actual email is unrelated (gibberish@sultanbogor.com).
    • Subject line implies a transaction you may not recognize, prompting urgency (social engineering).
  • Email content:
    • Designed to look legitimate, mimicking PayPal.
    • No attachments; the main interactive element is a “Cancel the order” button/link.
  • Link analysis:
    • The button uses a URL shortener, which hides the destination.
    • Investigating the raw HTML revealed the link redirects to google.com, not PayPal.

Overall takeaway: The email is a phishing attempt using spoofing and social engineering tactics, with a suspicious shortened link.

Questions

What phrase does the gibberish sender email start with?

If you look at the mail from THM:

You can clearly see that the sender email address starts with noreply.

Answer: noreply

Task 3: Track your package

The email sample demonstrates several phishing techniques, including spoofed email addresses, pixel tracking, and link manipulation. It is crafted to look like a message from a mail distribution center, reinforced by a subject line featuring a fake tracking number. Although the link text matches the subject, Yahoo blocks both images and links in this email—likely because of tracking pixels hidden inside the message.

By inspecting the raw source, one can see an embedded image named Tracking.png, which acts as a tracking pixel that sends information back to the spammer’s server. Many email providers block such images automatically to protect users from being tracked. Additionally, the hyperlink ultimately leads to a suspicious domain, suggesting potential malware involvement.

Questions

What is the root domain for each URL? Defang the URL. 

You can easily see the domain in the pictures on the room.

To defang it you can use CyberChef:

https://gchq.github.io/CyberChef/#recipe=Defang_URL(true,true,true,’Valid%20domains%20and%20full%20URLs’)

The answer is devret[.]xyz.

Why we defang you wonder? It is so that you can not mistakenly click on a link here on my blog and get send to a malicious URL.

Answer: devret[.]xyz

Task 4: Select your email provider to view document

Here’s a concise summary of this email sample:

  • Techniques used in the email:
    • Creates a sense of urgency (e.g., “link expires today”)
    • HTML impersonation of legitimate brands (OneDrive, Adobe)
    • Link manipulation to redirect victims to fake pages
    • Credential harvesting by asking users to log in
    • Poor grammar and typos
  • Red flags and observations:
    • Email prompts immediate action with a “download the fax” button.
    • Links redirect to non-Microsoft and non-Adobe URLs despite appearing legitimate.
    • Page titles and branding are faked (e.g., “Share Point Online”) to appear trustworthy.
    • Victims are prompted to log in with their email credentials; credentials are sent to the attacker.
    • Even correct credentials would trigger a fake error message, ensuring the attacker still collects them.
    • Multiple grammatical errors reveal the email is suspicious.

Questions

This email sample used the names of a few major companies, their products, and logos such as OneDrive and Adobe. What other company name was used in this phishing email?

This one was a a bit harder to find, but on the first screenshot it says Citrix:

Answer: Citrix

Task 5: Please update your payment details

In this task we look at yet another email. Here are the main points:

  • Techniques used: Spoofed email address, urgency, HTML impersonation of Netflix, poor grammar/typos, attachments.
  • Sender spoofing: Appears to be from Netflix Billing, but the actual sender is z99@musacombi.online.
  • Urgency: Claims the account is suspended, pressuring the victim to act quickly; reinforced throughout the email body.
  • Typos: Netflix is misspelled multiple times, though not as part of typosquatting.
  • Attachment: A PDF is included, prompting the victim to “Update Payment Account.”
  • Suspicious details: The phone number listed is unusual for a US-based Netflix account.
  • Overall: The email uses urgency, brand impersonation, and a malicious attachment to trick the recipient into interacting and potentially revealing sensitive information.

Questions

What should users do if they receive a suspicious email or text message claiming to be from Netflix?

Hmm, don’t really like this question! We need the hint to give us a link: https://www.consumeraffairs.com/news/police-warn-of-new-netflix-email-phishing-scam-121718.html

Here you can find the exact answer in the last sentence of the article.

Answer: forward the message to phishing@netflix.com

Task 6: Your recent purchase

Here we go again! Let’s cover the main points:

Techniques used: Spoofed email address, BCCed recipient, urgency, poor grammar/typos, and a malicious attachment.

Sender spoofing: The email claims to be from Apple Support, but the real sender is gibberish@sumpremed.com.

BCC usage: The victim wasn’t directly addressed; instead, they were BCCed. The visible “recipient” address is another spoofed Apple‑like address meant to appear legitimate.

Urgency: The message implies action is required, pushing the victim to respond quickly.

Typos: Both the sender and recipient addresses contain clear errors—donoreply and payament—which signal low credibility.

Empty body: There is no email content at all; the entire attempt relies on the victim opening the attachment.

Suspicious attachment: The attached file is a .DOT template file (a Microsoft Word template format), which is unusual in legitimate communications.

Attachment contents: The file displays a large image mimicking an App Store receipt. Its embedded link includes Apple‑related keywords like apps and ios to appear legitimate.

Questions

What does BCC mean?

A quick google search (or your favorite search engine!) gives us the answer: Blind Carbon Copy. It is quite similar to CC which you might be more familiar with: carbon copy. This means that whose address appears after the Cc: header would receive a copy of the message. Bcc is similar to this, but this time the recipients specified in this field do not appear in the received message header and the recipients in the To or Cc fields will not know that a copy sent to these address.

Answer: Blind Carbon Copy

What technique was used to persuade the victim to not ignore the email and act swiftly?

The message implies action is required, pushing the victim to respond quickly. We call this urgency.

Answer: Urgency

Task 7: DHL Express Courier Shipping notice

Let’s do this one last time! Promise me to never fall for phishing emails again after this room. 😉

  • Opening the attachment reveals content designed to appear legitimate, but the document executes a payload that results in an error.
  • This email demonstrates spoofed sender information, HTML used to imitate DHL, and the use of a malicious attachment.
  • The sender address doesn’t match DHL, even though the email claims to be about a package the company is supposedly shipping.
  • The body of the email uses HTML to mimic an authentic DHL message.
  • When examining the email’s source code, the “view as a web page” link has no actual destination, which is a strong sign of a poorly constructed phishing attempt.
  • The only interactive element is the attachment—an Excel file.

Questions

What is the name of the executable that the Excel attachment attempts to run?

You can find the answer on the screenshot in the room:

Answer: regasms.exe

Task 8: Conclusion

In this room, we looked at various phishing samples. 

Some of the samples shared similar techniques whereas, others introduced a new tactic for you to see and learn from. 

Understanding how to detect phishing emails takes awareness training.

Visit the resources below to acquaint yourself with other signs to look out for in phishing emails. 

Additional Resources:

The next room in this module: Phishing Emails 3

Questions

Read the above.

Answer: No answer needed.

Congratulations on completing Phishing Emails in Actions!!!

We did it! We finished phishing emails in action!

Congratulations on completing Phishing Emails in Practice. This was a fun little room in which we got to practice identifying phishing emails. Great job on getting this far.

Come back soon for more walkthroughs of rooms on TryHackMe and HackTheBox, and other Cybersecurity discussions.

Find my other TryHackMe SOC Level 1 Path walkthrougs here.

Find my other walkthroughs here.

Like my articles?

You are welcome to comment on this post, or share my post with friends.I would be even more grateful if you support me by buying me a cup of coffee:

Buy me a coffee
Buy me a coffee

I learned a lot through HackTheBox’s Academy. If you want to sign up, you can get extra cubes, and support me in the process, if you use the following link:

https://referral.hackthebox.com/mzwwXlg

Tags

Newsletter Updates

Enter your email address below and subscribe to our newsletter

Related Posts

One comment

Leave a Reply

Your email address will not be published. Required fields are marked *


Trending now

TryHackMe: Phishing Emails in Action (SOC Level 1)
TryHackMe: SOC L1 Alert Triage Walkthrough (SOC Level 1)
SOC L1 Alert Reporting
TryHackMe: SOC L1 Alert Reporting Walkthrough (SOC Level 1)
TryHackMe: Introduction to EDR Walkthrough (SOC Level 1)