Reported Emails & Email Analysis

Emails reported via established add-ins are directed to the Reported Email section in the PhishTrace application. This section provides a screen where you can categorize and analyze the reported emails for further action.

Reported Emails

The Reported Emails section, located at the top left, consists of four categories: Phishing, Spam, Clean, Unknown.

Emails reported in the mentioned categories—phishing, spam, clean, and unknown—can be assigned either manually by the user or automatically through predefined rules or filters. This flexibility allows for both hands-on categorization and automation based on organizational needs.

A security analyst evaluates each reported email and, based on the content and sender information, classifies the email into one of several categories. For instance, an email containing a suspicious link would be categorized as phishing, whereas a benign newsletter would be designated as clean.

Detailed View of Reported Email

On the left side of the panel, there is a section displaying reported emails. From this view, you can access key details such as sender information and subject without needing to open the full email content.

At the top right, Select All button allows you to select all emails within the current category (e.g., phishing, spam, clean, unknown). For more specific actions, each email also features an individual button at the top right, enabling you to select specific emails for further review or action.

This streamlined interface enables users to efficiently manage and process multiple reported emails.

Details of the Reported Email

Reporter Name: Displays the name of the user who reported the email.

Reporter Email: Shows the email address of the user who reported the email.

Email Subject: Displays the subject line of the reported email.

Email Tags: Lists the tags associated with the email, which help in filtering and taking actions.

An email can have multiple tags based on the analysis, including:

  • FINALIZED: Tag applied when the email analysis is complete.
  • INV_RUNNING: Tag assigned when actions or investigations on the email are still in progress.
  • Rule-based Tags: If an email matches specific predefined rules, it receives a tag with the rule’s name.
  • IOC Source Tags: If malicious content is identified based on specific Indicators of Compromise (IOC) sources, the email receives a tag corresponding to the IOC source.

Reported Date: Displays the date the email was reported.

Download Button: Allows the email to be downloaded in EML format for further investigation or record-keeping.

 

Manager Report, CSV and Excel Reports, Import Emails

In the top right corner of the main screen, there are also four different features. These features allow you to generate reports and import emails into the module.

Manager Report button generates a PDF document. This report can be generated based on the following timeframes: Last 24 hours, Last Week, Last Month.

The report provides a summary of the total numbers of Suspicious Emails, Spam Emails, and Clean Emails, along with their categorization outcomes as Suspicious, Spam, or Clean by the analyst.

In addition, the report includes data on Suspicious Email Responses, Senders Classified as Suspicious, Senders Classified as Spammers, Subjects Classified as Suspicious, and Subjects Classified as Spam.

Creating CSV and Excel Reports

The Create Report button, on the other hand, allows you to generate reports in CSV or XLS format. These reports are more detailed and present the information in a data-oriented manner.

Import Emails

Import button on the far right allows you to upload EML format emails from your computer into the module. Additionally, the email import process can also be performed.

Analysis Section

In the analysis section, users can access a wide range of information related to the reported email. The prepared analyses work in collaboration with multiple sources.

When the analysis section is accessed, users are presented with various sections that enable the execution of different actions or offer diverse analytical capabilities. These features are outlined as follows:

  1. Assigning Analysts: A button that allows assigning the analysis task to one of the authorized users. A notification email is sent to the relevant user after the Assign action is completed for a reported email.
  2. Categorization: A section containing buttons that enable the categorization of emails listed in the Reported Emails section.
  3. Completion and Action Buttons: If the analysis process is finalized, a button that moves the emails to the Completed Incidents section, alongside a button used to initiate any manual actions. If no manual actions are available, the button will display the message No Manual Actions Defined.

  4. BeamSec Analysis: In the BeamSec analysis, evaluations are conducted on the reported email to review redirection, link details, and whether the reply-to address matches the sender’s address.
  5. Spam Assassin Analysis: PhishTrace operates in conjunction with the SpamAssassin application.

SpamAssassin is an open-source email filtering software that uses a variety of heuristic and statistical techniques to detect and block unsolicited email, commonly known as spam. It assigns scores to emails based on content analysis.

Default threshold value for SpamAssassin is set to (5). If the score of a reported email is -5 or close to this value, the likelihood of the email being classified as spam decreases. However, if the score is 5 or close to this value, the probability of it being spam increases.

An email with a phishing score may exceed the designated threshold value. This is considered normal.

Sender Analysis

In the Sender Analysis section, information regarding the source of the email sender can be accessed.

  1. Sender section is where details such as the Sender, Sender Information, and Return- Path are provided.
    Return-Path is a key component in email headers that identifies the address designated to receive bounce messages (non-delivery notifications). It plays an important role in handling email delivery issues.
  1. Sender Domain section, information about the domain from which the email was sent can be accessed. This includes details domain address, last updated time, Creation time, Origin of domain, blacklist status.
  2. Mail Server, you can obtain detailed information about the server from which the email was sent. This includes viewing the hostname, checking whether the server is listed on a blacklist, identifying the entity that provided the SPF pass, and retrieving the server’s IP address along with its blacklist status.

 

Incident Details

In this section, you can view details pertaining to the reporting of the incident.

Email ID: This section displays the unique email IDs assigned to each email.

First Reporter: In this section, you can view the email address of the individual who initially reported the email. Additionally, by selecting the View All option, you can see other individuals who have also reported the same email.

Received Date: Indicates the number of days that have passed since the email was sent to the user.

Report Date: Shows the number of days that have elapsed since the user reported the email.

Automated Incident Response: If an action defined in the playbook is automatically triggered by the email, the corresponding action will be displayed in this section.

Manual Incident Response: If an action is manually triggered, it will be shown in this section.

Mail Content

Preview screen for reported email is displayed. By default, images within the displayed email are disabled. To view the images, the Images button can be used. If you wish to download the email to your computer, you can use the EML button.

Header Analysis

Header analysis in emails involves examining the metadata embedded in the email headers to identify key details such as the sender’s origin, the route the email has taken, and potential signs of tampering or malicious intent. This process helps in verifying the legitimacy of an email and provides insights into its technical properties, which are critical for threat detection and analysis.

Some important elements in email header analysis are:

  1. Sender’s IP Address: Helps trace the origin of the email. Verifying if the IP aligns with the expected source can indicate whether the email is legitimate or suspicious.
  2. Return-Path: Indicates the actual return address for the message, which can help detect spoofing attempts by comparing it with the visible sender.
  3. DKIM (DomainKeys Identified Mail): Provides a cryptographic signature verifying the email’s domain of origin. A mismatch could suggest tampering or phishing.
  4. SPF (Sender Policy Framework): Specifies which IP addresses are authorized to send emails on behalf of a domain. Failures in SPF checks could indicate a forged sender address.
  5. Received Fields: Shows the route the email took from the sender to the recipient. This is crucial for spotting anomalies or suspicious relay servers.
  6. Message-ID: A unique identifier for the email. Inconsistent or non-standard formats could suggest the email is part of a spam or phishing campaign.
  7. Date and Time: Verifies the timeline of when the email was sent. Discrepancies or outdated timestamps could indicate manipulation or a delayed delivery attempt for malicious purposes.
  8. MIME-Version: Specifies the format of the email content. Inconsistent or unusual MIME versions can sometimes signal email manipulation or malicious content.
  9. Authentication-Results: Displays the results of SPF, DKIM, and DMARC checks, providing insight into the legitimacy of the email and whether it passed these key verification protocols.

Including these elements in your header analysis helps ensure thorough verification of an email’s legitimacy, aiding in the detection of phishing or other email-based threats.

 

Links & IOC Sources

Links

Upon the reporting of an email, if it contains any links, these are subjected to scanning by IoC sources. PhishTrace performs its analysis utilizing a range of trusted sources, including BEAMSEC, VirusTotal, Metadefender, PhishTank, URLHaus, SpamHausDBL, USOM, and OTX, ensuring a comprehensive assessment.

In the Settings under the IoC configuration, you can select the types of scans that services will perform on reported emails.

Scanning Statuses

Clean or No Evidence: If no malicious elements are detected in the scanned link by the respective IoC source, it is classified as Clean. However, this classification may vary depending on the source. For example, the USOM source refers to this status as No Evidence, indicating that the link submitted for scanning is not present in the IoC source’s database.

Malicious: This classification appears in the scan results when adverse findings are detected. These findings are based on various analyses conducted by the scanning source, including IP reputation, DNS analysis, blacklist checks, and other relevant assessments.

Marked: Certain IoC services use this status with a threshold value. A link is considered Malicious only if a minimum number of sources within the IoC service identify it as such. If the number of sources flagging the link as malicious falls below the defined threshold, it is labeled as Marked. VirusTotal is an example of an IoC service employing this threshold-based approach.

Error: This status is typically displayed when there is an incomplete configuration, such as a missing API key, or when the quota for the IoC service has been fully utilized.

 

Attachments

The Attachments section operates in a manner similar to the analysis performed in the Links section. Its primary objective is to assess whether the attached file is classified as malicious or clean, based on the analysis conducted through scanning IoC sources.

The analysis can be performed on most known file extensions. Some of these formats include doc, docx, xml, xls, csv, and many others.

When you click on the Details button, you can view the hash analysis of the attached file. These analyses are performed using SHA1, SHA256, and MD5 algorithms.

During the hash analysis, no data is sent to external sources.

You can perform a Sandbox scan using MetaDefender and Anyrun. During this process, your file will be transferred to a third-party source for analysis.

Hash scans are displayed as FILE HASH SHA256, FILE HASH SHA1 and FILE HASH MD5. Files sent for sandbox analysis are shown as FILE CONTENT.

To view the scan and sandbox results on the corresponding source, click on the icons highlighted in the visual.

 

Matched Action Groups and Incident Management

In the Action section, various actions can be executed on the email. Additionally, you can view different types of pre-configured and matched actions. If any pre-prepared actions require automation, this can be configured through the Playbook section.

The Action section within a reported email consists of three parts.

The first of these is Matched Action Groups. In a reported email, the playbook that matches the created rule and the corresponding actions taken are displayed.

The interface always displays the last 10 emails. However, actions are applied to all emails in the mailbox, depending on the status of the executed action.

As shown in the example in the visual, the Modified field displays the total number of emails in the mailbox, while the list provides a view of the last 10 emails.

This section displays when actions within matching rules in the playbook are executed. It shows the total number of individuals and emails to which the action has been applied. Additionally, if any action has been applied manually, it is also displayed in this section.

After clicking the Incident Management button, a screen will appear where you can initiate various actions through email. Prior to execution, you will be required to make certain selections.

  1. Search Base Section: Allows you to select the part of the email on which the execution will be performed.
  2. Condition Section: Presents two options for setting conditions:
  • Equals: Checks for an exact match with the specified value. When selected, it searches for results that match the exact value set in the search base.
  • Contains: Checks if the specified value is included within the search base, returning all results that contain the given value.
  1. Process Section: Offers various types of actions:
    • Find: Searches for specific emails based on the defined criteria.
    • Delete: Permanently removes the selected email(s).
    • Quarantine: Moves emails to a quarantine area for further examination.
    • Move to Spam: Relocates the email(s) to the spam folder.
    • Move to Inbox: Returns the email(s) to the inbox.
    • Hide URL: Conceals the URL in the email, rendering it inaccessible.
    • Show URL: Reveals and makes a previously hidden URL accessible.
    • Message: Sends a custom message or notification as part of the process.

  1. Created Executions Section: All actions applied to the reported email are displayed in the Created Executions This list also includes actions that are automatically executed.

An applied action can be canceled through this list as well. The time required to cancel an action varies depending on the number of emails and recipients involved. Please consider this condition when canceling an action.

 

How to Track Analyst Performance

Analysts consist of the Accounts added to the application. The response times of these users to reported emails are recorded in the Analyst Score Card.

To access the Analyst Score Card, first navigate to Settings > Accounts.

You can access the Analyst Score Card screen from the Analyst Report Card section highlighted in the visual.

Under the Results of Incidents Response section, the following groupings are displayed: Phishing, Spam, Unknown, and Clean. For these results to be recorded in the Analyst Score Card, the reported emails must be marked as Completed.

Analyst Score increases with faster response times; however, with each delayed response to a reported email, the score decreases.

Total Number of Incidents shows how many emails the analyst has responded to

Average Incident Response Time displays the average time taken by the analyst to respond to incidents.

This is a chart displaying the number of reported and addressed emails on a daily or monthly basis.