Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Quick Analysis Of Phishing MSG - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Quick Analysis Of Phishing MSG

Reader Robert submitted a phishing email (msg file).

.msg files are compound file binary format files (aka ole files), and as such can be analyzed with oledump.py.

And I have plugins specific for .msg files: plugin_msg.py and plugin_msg_summary.py.

Robert's submission inspired me to add a small feature to plugin_msg_summary: it will now search through all streams for URLs, and report them.

This way, one can now immediately see the phishing URLs in phishing emails:

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com

DidierStevens

639 Posts
ISC Handler
May 14th 2022

Sign Up for Free or Log In to start participating in the conversation!