Anyone know of a good tool to track emails for a phishing campaign?
I need to parse through a few months of legitimate and non-legit emails coming from the same companies domain since they were compromised at some point.
So far I’ve setup MHA (Message Header Analyzer) but I can only parse single message headers and would have to copy out relevant info to a spreadsheet manually.
Thanks,
J
Hi J,
I don’t think a single strategy will be enough. As one of these strategies, you can give a try to some email blacklists out there. We parse every day the email lists from StopForumSpam. They are good lists for forensics, especially spam in forums (as the name says). You can cross your data with their lists and see what happens. They store emails from several intervals (1 day, 7, 30, 6 months, 1 year…).
It’s not phishing but maybe you can find compromised email accounts used for other activities.
Good luck!
Haven’t checked out this tool but maybe it could be helpful: https://github.com/serdarhaliloglu/Phishing-Email-Analyzer.
Otherwise you could use curl and script to get the desired results, maybe use this online tool: https://mxtoolbox.com/EmailHeaders.aspx ?
Have you looked at LogRhythm’s PIE (https://github.com/LogRhythm-Labs/PIE/) it looks like it is OS, geared for O365, but with a bit of work might be an option. Also if you hit up Greg Foss (@Heinzarelli) on twitter, he is generally pretty responsive.
Thanks for sharing such a cognitive information. It is useful.