analyzing-email-headers-for-phishing-investigation

# Analyzing Email Headers for Phishing Investigation ## When to Use - When investigating a suspected phishing email to determine its true origin - For verifying sender authenticity and detecting email spoofing - During incident response when a user has clicked a phishing link - When tracing the delivery path and relay servers of a suspicious email - For validating SPF, DKIM, and DMARC alignment to identify forgery ## Prerequisites - Raw email headers from the suspicious message (EML or MSG format) - Understanding of SMTP protocol and email header fields - Access to DNS lookup tools (dig, nslookup) for SPF/DKIM/DMARC verification - Email header analysis tools (MHA, emailheaders.net concepts) - Python with email parsing libraries for automated analysis - Access to threat intelligence platforms for IP/domain reputation ## Workflow ### Step 1: Extract Raw Email Headers ```bash # Export from Outlook: Open email > File > Properties > Internet Headers # Export from Gmail: Open email > Three dots > Show original # Export from Thunderbird: View > Message Source # If working with EML file from forensic image cp /mnt/evidence/Users/suspect/AppData/Local/Microsoft/Outlook/phishing_email.eml \ /cases/case-2024-001/email/ # If working with PST file, extract individual messages pip install pypff python3 << 'PYEOF' import pypff pst = pypff.file() pst.open("/cases/case-2024-001/email/outlook.pst") root = pst.get_root_folder() def extract_messages(folder, path=""): for i in ran...