A comprehensive study guide covering email IOCs, phishing and impersonation attacks, email header analysis, MIME payloads, SPF/DKIM/DMARC authentication, cousin domain attacks, SMTP log analysis, and S/MIME message security.
Objective 1.3 — Tools & techniques to determine malicious activity
1
Email IOCs — Phishing, Spear Phishing & BEC
Email is the most common attack vector used in social engineering campaigns. Understanding the escalating precision of email attacks — and the specific IOCs each produces — is essential for the exam.
Spam
Bulk, indiscriminate
Unsolicited junk email sent to a wide recipient list. The attacker casts a broad net hoping some percentage of recipients will engage. No specific targeting.
Phishing
Impersonation + pretext
Fraudulent email purporting to be from a reputable company. Uses a pretext (false motive) to induce victims to reveal passwords, credit card numbers, or other sensitive data. Example pretext: "Your PayPal account has been compromised — click here."
Spear phishing
Targeted specific individual/org
An email spoofing attack targeting a specific individual or organisation using tailored information. Example: attackers with a breached bank customer list target only actual customers of that bank — far more convincing than generic phishing.
Whaling
C-level targeting
Spear phishing specifically targeting executives (CEO, CFO, CISO). High-value targets because they have authority to approve wire transfers, access sensitive systems, and override controls.
BEC
Business email compromise
Attacker gains control of an employee's actual account (via phishing) and uses it to convince other employees to perform fraudulent actions — often wire transfers. Differs from spoofing: the account is real and authenticated, making it far harder to detect.
Email spoofing
Forged sender identity
Sending email that appears to come from a specific person without actually controlling their account. Mimic the CFO's name and email format, match their writing style, and issue a fraudulent payment instruction. Detectable via header analysis.
Forwarding as a spoofing technique
A sophisticated spoofing variant: the attacker compromises a lower-level employee, then sends a forwarded email chain that appears to originate from a senior executive buried in the thread. The visible message is from the compromised employee, but the forwarded content appears to show executive authority. If recipients read only the top message, they may not scrutinise the chain underneath it.
Key exam distinction: BEC = attacker controls the legitimate email account (authenticated). Email spoofing = attacker forges the sender address (not authenticated). BEC is harder to detect because authentication passes. Spoofing can be detected via header analysis and authentication records (SPF/DKIM/DMARC).
2
How Email Travels — MUA, MDA & MTA
Understanding the email delivery chain is the foundation for reading headers. Every hop an email makes adds information to the internet header — creating a forensic trail you can follow backward to find the true origin of a spoofed message.
MUA
Mail User Agent
Sender's email client — Gmail, Outlook, Thunderbird. Creates the initial header and message.
SMTP →
MDA
Mail Delivery Agent
Sender's mail server. Authenticates the sender, checks if delivery is local or external.
SMTP →
MTA
Message Transfer Agent
Routes message across internet via DNS MX records. Each hop adds a "Received:" header entry.
SMTP →
MTA
Recipient's MTA
Accepts message for the recipient's domain. Checks SPF/DKIM/DMARC. Adds final Received: entry.
→ MDA
MDA
Mail Delivery Agent
Places message in the recipient's mailbox (IMAP/POP3 storage). Waits for client to retrieve.
POP3/IMAP
MUA
Mail User Agent
Recipient's email client downloads and displays the message.
Gold-highlighted MTAs are where attackers inject false header information. Every MTA adds a new "Received:" line to the internet header. Reading these lines from the bottom up reveals the true origin of the message — the first hop at the bottom is where the message actually started.
3
Email Header Analysis — The Three From Fields
Every email contains three distinct sender address fields — only one is visible to the recipient in their mail client. Attackers exploit this asymmetry to make spoofed emails appear legitimate. Understanding all three fields is essential for header analysis on the exam.
Field
Also called
Visible to recipient?
Attacker control
Forensic value
From: (display)
Display From, Header From, Friendly name
Visible
Complete — can be set to anything, e.g. Gmail Accounts <theft@badguy.com>. Clients only show the friendly name, hiding the real address in brackets.
Low — entirely attacker-controlled and meaningless for verification.
Return-Path:
Envelope From, MAIL FROM, Bounce address
Hidden
Can be set to a fake address. This is where bounced mail is sent. However, it must be a functional address the MTA can reach or delivery fails.
Medium — reveals the actual sending infrastructure. Check the domain here against SPF records.
Received:
Received From/By, MTA hop record
Hidden
Each MTA adds its own line — earlier hops can be forged, but the first legitimate MTA's entry is usually trustworthy.
High — read bottom-up to trace the true origin. The lowest (oldest) Received: entry is the originating server.
How to read a suspicious email header
email internet header — annotated analysis
# STEP 1: Find Authentication-Results — read this first Authentication-Results:mx.receiver.com; header.from=spam.foo← display From domain smtp.mailfrom=spam.foo← envelope From domain → mismatch = red flag client-ip=w.x.y.z← originating IP → look up on AbuseIPDB / reputation feeds
# STEP 2: Read Received: headers BOTTOM UP (oldest = true origin) Received: from openrelay.foo [w.x.y.z]
by mx.receiver.com with SMTP; ... ↑ This is the first hop — the actual sending server ↑ "openrelay" = compromised server being used by attacker
# STEP 3: Check the visible From and Subject From:Gmail Accounts <spammer@spam.foo> ↑ Friendly name spoofed to look like Gmail Subject:Your account is blocked by the administrator ↑ Urgency/alarm pretext — common phishing trigger
# STEP 4: Check Return-Path (real bounce address) Return-Path: <spammer@spam.foo> ↑ Must be real for delivery — reveals true infrastructure
Analysis tool: Instead of reading raw header text manually, paste the full header into testconnectivity.microsoft.com (Message Header Analyzer). It breaks the header into a clean hop-by-hop table showing each server, the delay between hops, and authentication results. Unusually long delays between hops may indicate message tampering.
Exam approach for header questions: Given a header snippet, look for (1) mismatches between the Display From and the smtp.mailfrom in Authentication-Results, (2) a suspicious originating IP or domain in the bottom-most Received: line, (3) a subject line using urgency or alarm as pretext, (4) a Return-Path that reveals a different domain than the displayed sender. Any of these is an IOC.
MIME (Multipurpose Internet Mail Extensions) is the standard that allows email bodies to carry HTML, rich text, binary data (Base64-encoded), and attachments. It is not inherently malicious — but attackers weaponize it to deliver payloads.
Exploit (script-based)
Code executes on preview
MIME supports HTML — which supports JavaScript. A malicious script embedded in an HTML email can execute when the email client renders a preview pane, without the user clicking anything. Targets vulnerabilities in the mail client itself.
Attachment
File requires user interaction
A file (virus, worm, dropper) attached to the email in the hope the recipient opens or executes it. Users have become more cautious about unknown attachments, so attackers have shifted toward embedded links instead.
Embedded link
Display text hides true URL
A link showing www.diontraining.com as display text may actually point to badguysite.malware. Never click — instead copy the raw URL and examine it in full before visiting. Shortened URLs (bit.ly etc.) hide the destination entirely.
Email signature blocks as an IOC
If everyone in your organisation uses an identical, standardised email signature block, a message that purports to be from inside the organisation but lacks that standard signature block — or has a poorly formatted one — is a phishing indicator. Attackers crafting spoofed internal emails often don't know the exact signature format used.
Safe link handling: Copy the raw link text, paste it into your browser's address bar, and read the full URL before pressing Enter. This defeats both display-text spoofing and shortened URL hiding. In a corporate environment, a proxy or URL-filtering tool should be doing this automatically.
5
Email Server Security — SPF, DKIM, DMARC & Cousin Domains
Three complementary DNS-based authentication mechanisms work together to make email spoofing significantly harder. All three are published as DNS TXT records and checked automatically by receiving mail servers.
SPF
Full name: Sender Policy Framework
Type: DNS TXT record (one per domain)
What it does: Lists the IP addresses and servers authorised to send mail on behalf of this domain.
How checked: Receiving MTA looks up the sending domain's SPF record and checks whether the sending server's IP appears in it.
Example:v=spf1 mx include:_spf.google.com -all
Limitation: Only validates the envelope From (Return-Path), not the display From.
DKIM
Full name: DomainKeys Identified Mail
Type: DNS TXT record (public key)
What it does: Sending MTA cryptographically signs outgoing email headers using a private key. Receiving MTA verifies the signature using the published public key.
How checked: MTA hashes the selected headers, decrypts the signature with the public DNS key, compares them. Match = headers unmodified in transit.
Gives you: Integrity — proves headers were not tampered with in transit.
Note: Can replace or supplement SPF. Signs on behalf of the server, not the individual user.
DMARC
Full name: Domain-Based Message Authentication, Reporting & Conformance
Type: DNS TXT record (policy)
What it does: Defines what the receiving MTA should do when SPF or DKIM checks fail: none, quarantine, or reject. Also requests failure reports back to the domain owner.
Works with: SPF alone, DKIM alone, or both together.
Enforcement: Closes the loophole where SPF/DKIM pass but the display From is spoofed — DMARC aligns the authentication result with the displayed domain.
How DMARC enforces the authentication chain
Authorised sender (green path)
Sender MTA adds SPF/DKIM headers → message arrives at recipient MTA → MTA looks up DMARC policy + SPF/DKIM records via DNS → authentication passes → message delivered to inbox.
Spoofed sender (red path)
Attacker MTA sends spoofed message → arrives at recipient MTA → MTA checks DMARC policy + SPF/DKIM → authentication fails (wrong IP, missing signature, domain mismatch) → message rejected, quarantined, or flagged per DMARC policy.
Cousin domains — what SPF/DKIM/DMARC cannot stop
A cousin domain is a DNS domain that looks visually similar to a legitimate domain when rendered in a mail client. An attacker registers the cousin domain, correctly configures its own SPF/DKIM/DMARC records, and sends email from it — which passes all authentication checks because it is, technically, a legitimate domain. It is just a different one from the real organisation.
diontraining.comvsdiontrainimg.comLast 'n' swapped for 'm'
diontraining.comvsdiontraning.comOne 'i' dropped
support@diontraining.comvssupport@deiontranimg.comMultiple character substitutions
DMARC blind spot: SPF, DKIM, and DMARC all pass for a properly configured cousin domain — because the email really does come from that domain. The only defence is user training (verify the exact spelling) and automated cousin-domain monitoring that flags newly registered domains similar to yours.
6
SMTP Log Analysis
SMTP logs record every transaction between mail servers in a request/response format. Each log entry captures the timestamp, sender/recipient address, message size, and a numeric status code. Reading these logs lets you trace where a message came from, whether it was accepted, and why it might have been rejected.
SMTP status codes
Code
Meaning
Direction
Notes
220★ exam
Service ready
Server → client
Server is ready to accept commands. First response in every SMTP session.
250★ exam
Message accepted / OK
Server → client
Confirms successful receipt of a command or message. Most common code in a healthy log.
221
Goodbye / session closing
Server → client
Sent after QUIT command. Session ends.
354
Start mail input
Server → client
Server ready to receive the DATA (message body). Sent after the DATA command.
421
Service not available
Server → client
Server is down or cannot process right now. Client will typically retry.
450
Mailbox unavailable
Server → client
Cannot access the mailbox — may not exist, may have permission issues.
451
Local processing error
Server → client
Server aborted due to an internal error. Usually temporary.
452
Insufficient storage
Server → client
Server disk is full. Large attachments may trigger this.
530
Authentication required
Server → client
Server refused the connection — client did not authenticate. Key indicator that a spoofed send was blocked by a properly secured server (no open relay).
Reading an SMTP log — annotated walkthrough
smtpd log — normal mail receipt + analysis
# Each line: daemon | log entry | date | time | peer IP | message
SENT: 220← Our server says "I am ready" to the connecting client RCVD: from smtp.openmail.foo← Connecting server identified itself SENT: 250← Accepted the EHLO/HELO greeting
RCVD: MAIL FROM: getrich@bitminer.foo← SUSPICIOUS sender domain SENT: 250 size=20480000 authenticated OK ↑ Server accepted it — now review sam's mailbox contents
RCVD: RCPT TO: sam@515support.com← Intended recipient SENT: 250OK RCVD: DATA SENT: 354← "Go ahead, send the message body" SENT: 250 queued ← Message body accepted and queued for delivery RCVD: QUIT SENT: 221← Goodbye — session ends
# ─────── SEPARATE SESSION: blocked spoofing attempt ─────── RCVD: MAIL FROM: bobby@515support.com← attacker pretending to be Bobby SENT: 530 Authentication required ↑ Server rejected it — attacker never authenticated as Bobby ↑ Bobby receives an NDR (non-delivery report) → should report to security
When reading SMTP logs for the exam, focus on the status codes. The 220 / 250 pair is the normal healthy conversation. A 530 means someone tried to send unauthenticated — investigate who they were pretending to be. Suspicious sender domains (bitminer.foo, getrich@) combined with a 250 acceptance mean that email reached the recipient — check their mailbox and warn them.
Exam priority codes: Know 220 (server ready), 250 (accepted), and the general meaning of the 4xx range (errors). You do not need to memorise every code — but you should recognise 220 and 250 instantly, and understand that a 530 means unauthenticated rejection. The exam may show you a log snippet and ask whether the email was delivered, rejected, or indicates a spoofing attempt.
7
S/MIME — Digital Signatures & Encryption
S/MIME (Secure/Multipurpose Internet Mail Extensions) adds end-to-end cryptographic security to email using public key infrastructure. Each user is issued a digital certificate containing their public key. S/MIME provides two distinct security properties — and it is important to understand which key does what.
Integrity & non-repudiation (digital signature)
1.Sender hashes the message body.
2.Sender encrypts the hash with their private key → this is the digital signature.
4.Recipient decrypts the hash using the sender's public key.
5.Recipient hashes the received message independently and compares. Match = message not tampered with (integrity).
6.Only the sender's private key could have produced the signature → non-repudiation.
Note: the message body travels in plaintext — anyone who intercepts it can read it. This gives integrity, not confidentiality.
Confidentiality (encryption)
1.Sender encrypts the message using the recipient's public key.
2.Encrypted message is transmitted — even the sender cannot read it at this point.
3.Only the recipient's private key can decrypt the message.
4.Even if intercepted in transit, the ciphertext is unreadable without the recipient's private key.
In practice both are combined: the message body is encrypted with the recipient's public key (confidentiality), and the hash is signed with the sender's private key (integrity + non-repudiation).
The key rule — which key does what
Encrypt with private key
→ Anyone can decrypt
Used for digital signatures. Encrypting with your private key proves only you could have created it — anyone with your public key can verify it. Provides authentication and non-repudiation. Does NOT provide confidentiality.
Encrypt with recipient's public key
→ Only recipient can decrypt
Used for confidentiality. Only the recipient's private key can decrypt the message. Even the sender cannot read the ciphertext after encrypting. Provides confidentiality. Does NOT by itself prove who sent it.
S/MIME visual indicators in email clients
Valid signature
Ribbon / seal icon
A small ribbon or seal icon displayed next to the message. The client has verified the digital signature: the hash computed from the received message matches the decrypted signature. Message was not altered in transit and came from the stated sender.
Invalid / missing signature
Red X icon
A red X or warning indicator. Either no digital certificate was attached, the hash values don't match (message was altered), or the signing certificate is untrusted/expired. The message's authenticity cannot be guaranteed.
S/MIME vs SPF/DKIM: SPF and DKIM authenticate at the server level — they prove the sending mail server is authorised. S/MIME authenticates at the user level — it proves a specific person signed a specific message with their unique private key. They are complementary, not redundant.
MUA = Mail User Agent (client). MDA = Mail Delivery Agent (local server, stores mail). MTA = Message Transfer Agent (routes between servers). Every MTA hop adds a Received: header line.
Three From fields
Display From = visible, fully attacker-controlled (friendly name). Return-Path/Envelope From = hidden, bounce address, reveals true infrastructure. Received: = hidden, read bottom-up for true origin.
Header analysis method
1) Authentication-Results first (check header.from vs smtp.mailfrom). 2) Received: lines bottom-up (true origin = lowest entry). 3) Subject line for alarm/urgency pretext. 4) Return-Path for real infrastructure. Tool: testconnectivity.microsoft.com.
MIME payloads
MIME = not malicious by itself. Weaponised as: HTML exploits (execute on preview), file attachments (virus/worm), embedded links (display text ≠ real URL). Plain text email = cannot carry exploits. Always check raw URL before clicking.
SPF / DKIM / DMARC
SPF = DNS TXT — lists authorised sending IPs for the domain (one record per domain). DKIM = DNS TXT — cryptographic signature by MTA, proves headers unmodified. DMARC = DNS TXT — policy: what to do when SPF/DKIM fail (none/quarantine/reject).
Cousin domains
Visually similar domain (diontrainimg.com vs diontraining.com). Passes ALL authentication checks because it's a real, properly configured domain — just a different one. Only defence: user awareness + domain monitoring.
Sign with private key → anyone verifies with public key = non-repudiation + integrity. Encrypt with recipient's public key → only their private key decrypts = confidentiality. Both together = integrity + non-repudiation + confidentiality.
Open relay
A mail server that accepts and forwards email from any sender without authentication. Attackers abuse open relays to send spoofed email. Properly secured servers require SMTP authentication (code 530 if missing). Open relay = misconfigured server.