Jasper Alblas
TryHackMe: Phishing Prevention (SOC Level 1)
Welcome to this walkthrough of the Phishing Prevention Room on TryHackMe. Now that we have learned about phishing emails and how to identify them as such, we are ready to learn about the prevention of said phishing emails. Let’s go!
Room URL:
https://tryhackme.com/room/phishingemails4gkxh
I am making these walkthroughs to keep myself motivated to learn cyber security, and ensure that I remember the knowledge gained by these challenges on HTB and THM. Join me on learning cyber security. I will try and explain concepts as I go, to differentiate myself from other walkthroughs.
Table of Contents
Task 1: Introduction
Phishing remains one of the most common and effective ways for attackers to gain initial access to target systems. To counter this, defenders can deploy a variety of tools and controls designed to protect users from malicious emails.
The MITRE ATT&CK Framework describes Phishing for Information as the attempt to trick targets into divulging information.
In this room, you’ll learn about various security measures organizations can implement to prevent, detect, and mitigate phishing threats.
Learning Objectives
- Understand core email security controls (SPF, DKIM, DMARC, S/MIME)
- Analyze SMTP network traffic and email content
- Explore anti-phishing protection measures
Optional Prerequisites
- Cover Phishing to gain an overview of phishing campaigns
- Check out Phishing Analysis Fundamentals to learn common phishing types
Questions
I understand the learning objectives and am ready to learn about phishing prevention!
Answer: No answer needed
Task 2: Sender Policy Framework (SPF)
What Is SPF (Sender Policy Framework)?
Sender Policy Framework (SPF) is an email security mechanism that helps prevent phishing and email spoofing. It allows receiving mail servers to check whether an email was sent from a server that is authorized to send mail on behalf of a specific domain.
In simple terms: SPF answers the question “Is this server allowed to send email for this domain?”
How SPF Works
When an email is received, the recipient’s mail server performs the following steps:
- It extracts the sender’s domain from the email.
- It looks up the domain’s SPF record in DNS.
- It checks whether the sending server’s IP address is listed as authorized.
- Based on the result, it decides what to do with the email.
This entire process happens automatically and in milliseconds.
SPF Results and What They Mean
The SPF check returns a result that tells the receiving server how trustworthy the email is:
| SPF Result | What Happens |
|---|---|
| Pass, Neutral, None | Email is accepted and delivered normally |
| SoftFail, PermError | Email is delivered but flagged as suspicious |
| Fail, TempError | Email is rejected |
From a SOC perspective, SoftFail messages are particularly interesting, as they often appear in phishing or misconfigured email setups.
Understanding an SPF Record
An SPF record is stored as a DNS TXT record. Here’s a simple example:
v=spf1 ip4:127.0.0.1 include:_spf.google.com -allWhat Each Part Means
v=spf1
Identifies this as an SPF recordip4:127.0.0.1
Allows this specific IPv4 address to send emailinclude:_spf.google.com
Allows all mail servers authorized by Google-all
Rejects email from any server not listed above
That final -all is important — it tells receiving servers to reject unauthorized senders, which significantly reduces spoofing.
SPF Records Using “include”
Some domains don’t list IP addresses directly. Instead, they use include statements to reference third-party email providers such as Google Workspace, HubSpot, or Chargebee.
In these cases, all IP addresses authorized by the included domains are treated as valid senders.
Tools for SPF Analysis
Two commonly used tools are:
- dmarcian SPF Surveyor
Provides a visual overview of SPF records and helps validate correct syntax. - Google Admin Toolbox – Messageheader
Allows analysts to inspect full email headers and see SPF results.
For example, an SPF result of SoftFail indicates the sending server is not explicitly authorized, but the email was still accepted and marked as suspicious — a common finding in phishing investigations.
Why SPF Matters for Blue Teams
SPF is one of the first checks used by mail servers to evaluate sender legitimacy. While it does not stop phishing on its own, it plays a crucial role when combined with DKIM and DMARC.
For defenders and SOC analysts, understanding SPF helps:
- Investigate suspicious emails
- Identify spoofed domains
- Spot misconfigured email infrastructure
- Improve overall email security posture
Questions
Based on TryHackMe’s SPF record above, how many domains are authorized to send email on its behalf?
Let’s have a look at the mentioned screenshot:
We are interested in the mail servers mentioned directly after a include. Here we can see three domains: google.com, chargebee.com, and finally hubspotemail.net.
Answer: 3
What is the intended action of an email that returns a SoftFail verification result?
As we discussed earlier, an email that returns a SoftFail result gets sent but gets flagged. The intended action is therefore flag.
Answer: flag
Task 3: DomainKeys Identified Mail (DKIM)
What Is DKIM (DomainKeys Identified Mail)?
DomainKeys Identified Mail (DKIM) is an email authentication method that verifies whether an email message has been tampered with and truly originates from the sending domain.
Like SPF, DKIM is an open standard used for email authentication and DMARC alignment. However, DKIM has a major advantage: it survives email forwarding, which makes it more reliable than SPF and a core building block of modern email security.
In short: DKIM answers the question “Was this email really sent by this domain, and was it changed along the way?”
How DKIM Works
DKIM uses public-key cryptography to validate email authenticity.
Here’s the process at a high level:
- The sending mail server generates a digital signature using a private key.
- This signature is attached to the email headers.
- The receiving mail server looks up the domain’s DKIM public key in DNS.
- The public key is used to verify the signature.
- If the signature matches, the email is considered authentic.
If verification fails, the email may be flagged as suspicious or rejected, depending on policy.
Why DKIM Survives Forwarding
Unlike SPF, which validates the sending server’s IP address, DKIM validates the content and signature of the message itself.
As long as the message body and signed headers are not modified, DKIM remains valid — even if the email passes through multiple mail servers. This makes DKIM especially valuable in real-world mail flows.
Understanding a DKIM Record
A DKIM record is stored as a DNS TXT record and contains the public key needed to verify the email signature.
Example DKIM Record
v=DKIM1; k=rsa; p=<public_key>Breakdown of the Record
v=DKIM1
Specifies the DKIM version (often optional)k=rsa
Indicates the encryption algorithm used (RSA is standard)p=<public_key>
The public key used to verify the DKIM signature
DKIM records can include additional tags depending on the mail provider and configuration, which is why they often look more complex than SPF records.
DKIM Failure in Email Headers
When analyzing email headers, DKIM results are commonly displayed alongside SPF and DMARC.
A DKIM result of permerror indicates a permanent failure, meaning the verification process could not be completed. Common causes include:
- Missing or incorrect DKIM DNS records
- An invalid or corrupted signature
- Message modification during transit
- DKIM misconfiguration on the sending server
From a SOC perspective, DKIM permerrors are strong indicators of either misconfigured infrastructure or malicious email activity.
Tools for DKIM Analysis
Two useful tools for working with DKIM are:
- dmarcian DKIM Record Checker & Validator
Helps verify DKIM record structure and public key validity - Email header analysis tools
Allow analysts to quickly identify DKIM results such aspass,fail, orpermerror
Why DKIM Matters for Blue Teams
DKIM plays a critical role in defending against email-based attacks. It ensures:
- Message integrity
- Sender domain authenticity
- Reliable DMARC enforcement
Together with SPF and DMARC, DKIM forms the foundation of modern email security. For SOC analysts, understanding DKIM is essential when investigating phishing attempts, spoofed domains, and suspicious email headers.
Questions
Based on the sample header above, what is the reason for the permerror?
Let’s have a look at the header:
Well, it says the answer in parentheses right after the permerror, so this is an easy one. There is apparently lacking a key.
Answer: no key for signature
Task 4: Domain-Based Message Authentication, Reporting, and Conformance (DMARC)
What Is DMARC (Domain-Based Message Authentication, Reporting, and Conformance)?
Domain-Based Message Authentication, Reporting, and Conformance (DMARC) is an open standard that builds on SPF and DKIM to protect domains from email spoofing and phishing.
While SPF and DKIM authenticate different parts of an email, DMARC ties their results together using a concept called alignment. It ensures that the domain visible to the user matches the domain that was actually authenticated.
In simple terms:
DMARC answers the question “Can I trust that this email truly comes from the domain it claims to be from?”
How DMARC Works
When an email is received, the mail server:
- Checks the SPF result
- Checks the DKIM result
- Verifies alignment between the sender’s domain and the authenticated domains
- Applies the DMARC policy defined by the domain owner
If SPF and/or DKIM fail alignment, DMARC tells the receiving server exactly what to do with the email.
What Is Alignment?
Alignment means that the domain in the From: header matches the domain validated by SPF and/or DKIM.
- SPF alignment checks whether the sending server is authorized and uses the same domain
- DKIM alignment checks whether the DKIM signature matches the sender’s domain
At least one of them must pass and align for DMARC to succeed.
Understanding a DMARC Record
A DMARC record is published as a DNS TXT record and defines how failed emails should be handled.
Example DMARC Record
v=DMARC1; p=quarantine; rua=mailto:postmaster@website.comBreakdown of the Record
v=DMARC1
Specifies the DMARC version (required)p=quarantine
Tells receiving servers to move failing emails to the spam folder
(Other options arenoneandreject)rua=mailto:postmaster@website.com
Sends aggregate DMARC reports to the specified email address
(Optional, but highly recommended)
Common DMARC Policies
| Policy | Meaning |
|---|---|
p=none | Monitor only (no enforcement) |
p=quarantine | Treat failing emails as spam |
p=reject | Reject failing emails outright |
From a security perspective, moving from none → quarantine → reject is a sign of increasing email maturity.
DMARC in Action
Tools like dmarcian’s Domain Checker allow you to inspect SPF, DKIM, and DMARC records together and quickly identify misconfigurations.
For example, large organizations such as Microsoft use a p=reject policy. This means that any email failing DMARC checks is immediately rejected, making domain spoofing significantly harder.
Why DMARC Matters for Blue Teams
DMARC is where email authentication becomes actionable. Unlike SPF and DKIM alone, DMARC allows domain owners to:
- Enforce email authentication policies
- Receive visibility through reports
- Reduce successful phishing and spoofing attacks
- Protect brand reputation and user trust
For SOC analysts, DMARC helps:
- Confirm whether spoofed emails should have been blocked
- Investigate phishing campaigns
- Identify weak or misconfigured sender domains
SPF, DKIM, and DMARC – Summary
- SPF validates where an email comes from
- DKIM validates what was sent
- DMARC decides what to do when something fails
Together, they form the foundation of modern email security.
Questions
Which DMARC policy provides the greatest amount of protection by blocking emails that fail the DMARC check?
p=reject provides the greatest amount of projection, as it blocks (rejects) email sent if they fail validation checks.
Answer: p=reject
Task 5: Secure/Multipurpose Internet Mail Extensions (S/MIME)
Secure/Multipurpose Internet Mail Extensions (S/MIME) is a standard used to digitally sign and encrypt email messages. Unlike SPF, DKIM, and DMARC—which protect domains—S/MIME protects the actual email content and the individual sender.
In simple terms:
S/MIME ensures that an email is private, authentic, and has not been altered.
Core Security Features of S/MIME
S/MIME is built on public key cryptography and provides two primary security functions: digital signatures and encryption.
Digital Signatures
Digital signatures allow the recipient to verify who sent the message and whether it was modified.
They provide:
- Authentication
Confirms the sender’s identity using a digital certificate - Non-repudiation
Prevents the sender from denying they sent the message - Data Integrity
Detects any changes made to the message after it was signed
Encryption
Encryption protects the confidentiality of the email content.
It provides:
- Confidentiality
Ensures only the intended recipient can read the message - Data Integrity
Detects any modification during transmission
How S/MIME Works (Simple Example)
To use S/MIME, users must have a digital certificate, which contains their public key and is issued by a trusted Certificate Authority (CA).
Here’s a simplified workflow:
- Bob obtains a digital certificate, which includes his public key.
- Bob signs the email using his private key.
- Mary verifies the signature using Bob’s public key from his certificate.
- If the email is encrypted, Mary decrypts it using her private key.
- When Mary replies, she sends her certificate to Bob.
- Both parties now have each other’s certificates for future secure communication.
Once certificates are exchanged, future emails can be signed and encrypted automatically.
Why S/MIME Matters
Unlike domain-based protections, S/MIME:
- Secures message content, not just headers
- Protects against man-in-the-middle attacks
- Works even if email is forwarded or stored
- Provides strong non-repudiation
From a blue-team perspective, S/MIME is commonly seen in:
- Executive or legal communications
- Government and enterprise environments
- Secure internal email systems
S/MIME vs SPF, DKIM, and DMARC
| Technology | Protects | Focus |
|---|---|---|
| SPF | Domain | Sending server authorization |
| DKIM | Domain | Message integrity |
| DMARC | Domain | Policy enforcement |
| S/MIME | Individual user | Message confidentiality and authenticity |
S/MIME does not replace SPF, DKIM, or DMARC — it complements them by securing the email itself.
Why SOC Analysts Should Understand S/MIME
For defenders, S/MIME helps:
- Identify legitimate signed emails
- Distinguish spoofed messages from authentic ones
- Understand why certain emails cannot be inspected by gateways
- Investigate encrypted email incidents
While S/MIME increases security, it can also reduce visibility for email security tools, making awareness and proper configuration essential.
Questions
Which S/MIME component ensures that only the intended recipient can read the contents of an email message?
Encryption ensures that only the recipient can read the contents of an email message, since she needs a private key to decrypt the message.
Answer: Encryption
Task 6: Analyzing SMTP Responses
In this task, you will analyze a PCAP file with SMTP traffic. Some familiarity with traffic analysis using Wireshark will be helpful, as well as knowledge of SMTP Wireshark filters and status codes.
Go ahead and deploy the machine attached to this task. It will appear in the split-screen view when it’s ready. Then, open the traffic.pcap file on the Desktop to begin your examination.
Questions
Which Wireshark filter can you use to narrow down your results based on SMTP response codes?
Look at the site linked in the description: https://www.wireshark.org/docs/dfref/s/smtp.html.
This site is filled with useful Wireshark filters related to SMTP. One of them (one of the last entries) includes smtp.response.code, which allows us to filter on SMTP response codes.
Answer: smtp.response.code
How many packets in the capture contain the SMTP response code 220 Service ready?
Go ahead and startup the machine. Find the pcap file on the Desktop and open it in Wireshark. Now we get to use the filter we found in the previous question.
I am going to assume that you have some basic Wireshark knowledge (otherwise I have some awesome Wireshark walkthroughs here :D).
For this question we simply need to filter the earlier found attribute on the value 220:
smtp.response.code eq 220You will see the following 19 packets (see the answer in the complete bottom):
Answer: 19
One SMTP response indicates that an email was blocked by spamhaus.org. What response code did the server return?
Now, make sure to remove the filter on smtp response 220. We still need to focus on smtp trafic so just keep “smtp” in the filter. Now, search on string values by pressing Control + F, or press Edit -> Find Packet. Make sure you search on string, and enter the value of spamhaus.org. See the below screenshot:
The response code we are looking for is 553.
Answer: 553
Based on the packet from the previous question, what is the full Response code: message?
You can find the answer to this in the above screenshot, just below the response code.
Answer: Requested action not taken: mailbox name not allowed (553)
Search for response code 552. How many messages were blocked for presenting potential security issues?
You probably know how to do this now. Simply enter the following filter:
smtp.response.code eq 552
Answer: 6
Task 7: Inspecting Emails and Attachments
In this task, you’ll move beyond SMTP status codes and responses and begin analyzing SMTP traffic using the same traffic capture from the task above. You will utilize the Internet Message Format (IMF) to examine the inner details of emails, such as sender and recipient fields, content type, and attachments.
Questions
How many SMTP packets are available for analysis?
Simply enter the following filter to only show smtp packets:
smtpAnswer: 512
What is the name of the attachment in packet 270?
To find this packet, you can press Ctrl + G to find a packet (or press Go -> Go to Packet). Enter 270 and press “Go to packet”.
Look in the packet details under SMTP and you will find the answer:
Answer: document.zip
According to the message in packet 270, which Host IP address is not responding, making the message undeliverable?
The answer is also in the above screenshot, on line 4 of the details above.
Answer: 212.253.25.152
By filtering for imf, which email client was used to send the message containing the attachment attachment.scr?
Internet Message Format (IMF) is the standard for structuring text-based emails (headers like To, From, Subject, Date) that runs over protocols like SMTP. In it we can find more details on the contents of emails.
Filter on imf. Now, take a look at the 7 packets found. One of them mentions the attachment.scr file.
If you look for the X-Mailer field you will also find the email client.
Answer: Microsoft Outlook Express 6.00.2600.0000
Which type of encoding is used for this potentially malicious attachment?
Just below the attachment name, there exists a field called Content-Transfer Encoding. This is set to base64.
Answer: base64
Task 8: How Organizations Stop Phishing
While mechanisms like SPF, DKIM, and DMARC help authenticate emails, they are not enough on their own to stop phishing. Modern email systems use additional layers of defense to reduce risk.
Technical Defenses
- Email Filtering
Uses IP and domain reputation to block or quarantine suspicious messages. - Secure Email Gateways (SEGs)
Detect spoofing, impersonation, and advanced phishing techniques that basic filters may miss. - Link Rewriting
Replaces URLs with safe redirects, allowing links to be scanned at click time. - Sandboxing
Opens suspicious links or attachments in an isolated environment to observe malicious behavior.
User-Focused Measures
- Trust and Warning Indicators
Visual cues such as “External Sender” or “Suspicious Link” banners help users assess risk. - Phishing Reporting
Built-in reporting options allow users to quickly flag suspicious emails. - User Awareness Training & Simulations
Educates users on phishing tactics and reinforces learning through controlled phishing exercises.
Questions
A security team wants to implement a control to detect hidden malware inside email attachments.
They need a way to analyze suspicious files without risking infection on real systems.
Which protective technique would allow them to observe a file’s behavior safely?
This is clearly a sandboxing environment the team needs.
Answer: Sandboxing
Task 9: Conclusion
In this room, you explored how technologies like SPF, DKIM, DMARC, and S/MIME work together to authenticate email and protect users against phishing. You then learned how to interpret SMTP response codes and analyze SMTP traffic to understand how email servers handle messages. Finally, you examined the tools and technologies organizations use to detect and prevent phishing attempts, combined with user-focused awareness and reporting mechanisms.
Explore the rooms below to expand your understanding of phishing.
- Check out Phishing Emails in Action to learn about investigating suspicious emails.
- Cover Phishing Analysis Tools for an overview of the tools available for email investigation.
Questions
Complete the room and continue on your cyber learning journey!
Answer: No answer needed.
Congratulations on completing Phishing Prevention!!!
Congratulations on completing Phishing Prevention. This is one of the better rooms out there, and I really like the combination of theory, practice and a bit of Wireshark to really make the theory relevant. Thanks for reading!
Come back soon for more walkthroughs of rooms on TryHackMe and HackTheBox, and other Cybersecurity discussions.
Find my other TryHackMe SOC Level 1 Path walkthroughs here.
Find my other walkthroughs here.
Like my articles?
You are welcome to comment on this post, or share my post with friends.I would be even more grateful if you support me by buying me a cup of coffee:
I learned a lot through HackTheBox’s Academy. If you want to sign up, you can get extra cubes, and support me in the process, if you use the following link:
[…] Phishing Prevention […]