1

Email IOCs — Phishing, Spear Phishing & BEC

Email is the most common attack vector used in social engineering campaigns. Understanding the escalating precision of email attacks — and the specific IOCs each produces — is essential for the exam.

Spam
Bulk, indiscriminate
Unsolicited junk email sent to a wide recipient list. The attacker casts a broad net hoping some percentage of recipients will engage. No specific targeting.
Phishing
Impersonation + pretext
Fraudulent email purporting to be from a reputable company. Uses a pretext (false motive) to induce victims to reveal passwords, credit card numbers, or other sensitive data. Example pretext: "Your PayPal account has been compromised — click here."
Spear phishing
Targeted specific individual/org
An email spoofing attack targeting a specific individual or organisation using tailored information. Example: attackers with a breached bank customer list target only actual customers of that bank — far more convincing than generic phishing.
Whaling
C-level targeting
Spear phishing specifically targeting executives (CEO, CFO, CISO). High-value targets because they have authority to approve wire transfers, access sensitive systems, and override controls.
BEC
Business email compromise
Attacker gains control of an employee's actual account (via phishing) and uses it to convince other employees to perform fraudulent actions — often wire transfers. Differs from spoofing: the account is real and authenticated, making it far harder to detect.
Email spoofing
Forged sender identity
Sending email that appears to come from a specific person without actually controlling their account. Mimic the CFO's name and email format, match their writing style, and issue a fraudulent payment instruction. Detectable via header analysis.

Forwarding as a spoofing technique

A sophisticated spoofing variant: the attacker compromises a lower-level employee, then sends a forwarded email chain that appears to originate from a senior executive buried in the thread. The visible message is from the compromised employee, but the forwarded content appears to show executive authority. If recipients read only the top message, they may not scrutinise the chain underneath it.

Key exam distinction: BEC = attacker controls the legitimate email account (authenticated). Email spoofing = attacker forges the sender address (not authenticated). BEC is harder to detect because authentication passes. Spoofing can be detected via header analysis and authentication records (SPF/DKIM/DMARC).
2

How Email Travels — MUA, MDA & MTA

Understanding the email delivery chain is the foundation for reading headers. Every hop an email makes adds information to the internet header — creating a forensic trail you can follow backward to find the true origin of a spoofed message.

Gold-highlighted MTAs are where attackers inject false header information. Every MTA adds a new "Received:" line to the internet header. Reading these lines from the bottom up reveals the true origin of the message — the first hop at the bottom is where the message actually started.
3

Email Header Analysis — The Three From Fields

Every email contains three distinct sender address fields — only one is visible to the recipient in their mail client. Attackers exploit this asymmetry to make spoofed emails appear legitimate. Understanding all three fields is essential for header analysis on the exam.

FieldAlso calledVisible to recipient?Attacker controlForensic value
From: (display) Display From, Header From, Friendly name Visible Complete — can be set to anything, e.g. Gmail Accounts <theft@badguy.com>. Clients only show the friendly name, hiding the real address in brackets. Low — entirely attacker-controlled and meaningless for verification.
Return-Path: Envelope From, MAIL FROM, Bounce address Hidden Can be set to a fake address. This is where bounced mail is sent. However, it must be a functional address the MTA can reach or delivery fails. Medium — reveals the actual sending infrastructure. Check the domain here against SPF records.
Received: Received From/By, MTA hop record Hidden Each MTA adds its own line — earlier hops can be forged, but the first legitimate MTA's entry is usually trustworthy. High — read bottom-up to trace the true origin. The lowest (oldest) Received: entry is the originating server.

How to read a suspicious email header

email internet header — annotated analysis
# STEP 1: Find Authentication-Results — read this first
Authentication-Results: mx.receiver.com;
  header.from=spam.foo ← display From domain
  smtp.mailfrom=spam.foo ← envelope From domain → mismatch = red flag
  client-ip=w.x.y.z ← originating IP → look up on AbuseIPDB / reputation feeds

# STEP 2: Read Received: headers BOTTOM UP (oldest = true origin)
Received: from openrelay.foo [w.x.y.z]
          by mx.receiver.com with SMTP; ...
↑ This is the first hop — the actual sending server
↑ "openrelay" = compromised server being used by attacker

# STEP 3: Check the visible From and Subject
From: Gmail Accounts <spammer@spam.foo>
↑ Friendly name spoofed to look like Gmail
Subject: Your account is blocked by the administrator
↑ Urgency/alarm pretext — common phishing trigger

# STEP 4: Check Return-Path (real bounce address)
Return-Path: <spammer@spam.foo>
↑ Must be real for delivery — reveals true infrastructure

# STEP 5: Check X-headers (custom server-added fields)
X-SID-PRA: spammer@spam.foo
↑ Microsoft 365 anti-spam header showing computed sender
Analysis tool: Instead of reading raw header text manually, paste the full header into testconnectivity.microsoft.com (Message Header Analyzer). It breaks the header into a clean hop-by-hop table showing each server, the delay between hops, and authentication results. Unusually long delays between hops may indicate message tampering.
Exam approach for header questions: Given a header snippet, look for (1) mismatches between the Display From and the smtp.mailfrom in Authentication-Results, (2) a suspicious originating IP or domain in the bottom-most Received: line, (3) a subject line using urgency or alarm as pretext, (4) a Return-Path that reveals a different domain than the displayed sender. Any of these is an IOC.
4

Email Content Analysis — MIME, Exploits & Embedded Links

MIME (Multipurpose Internet Mail Extensions) is the standard that allows email bodies to carry HTML, rich text, binary data (Base64-encoded), and attachments. It is not inherently malicious — but attackers weaponize it to deliver payloads.

Exploit (script-based)
Code executes on preview
MIME supports HTML — which supports JavaScript. A malicious script embedded in an HTML email can execute when the email client renders a preview pane, without the user clicking anything. Targets vulnerabilities in the mail client itself.
Attachment
File requires user interaction
A file (virus, worm, dropper) attached to the email in the hope the recipient opens or executes it. Users have become more cautious about unknown attachments, so attackers have shifted toward embedded links instead.
Embedded link
Display text hides true URL
A link showing www.diontraining.com as display text may actually point to badguysite.malware. Never click — instead copy the raw URL and examine it in full before visiting. Shortened URLs (bit.ly etc.) hide the destination entirely.

Email signature blocks as an IOC

If everyone in your organisation uses an identical, standardised email signature block, a message that purports to be from inside the organisation but lacks that standard signature block — or has a poorly formatted one — is a phishing indicator. Attackers crafting spoofed internal emails often don't know the exact signature format used.

Safe link handling: Copy the raw link text, paste it into your browser's address bar, and read the full URL before pressing Enter. This defeats both display-text spoofing and shortened URL hiding. In a corporate environment, a proxy or URL-filtering tool should be doing this automatically.
5

Email Server Security — SPF, DKIM, DMARC & Cousin Domains

Three complementary DNS-based authentication mechanisms work together to make email spoofing significantly harder. All three are published as DNS TXT records and checked automatically by receiving mail servers.

SPF
Full name: Sender Policy Framework
Type: DNS TXT record (one per domain)
What it does: Lists the IP addresses and servers authorised to send mail on behalf of this domain.
How checked: Receiving MTA looks up the sending domain's SPF record and checks whether the sending server's IP appears in it.
Example: v=spf1 mx include:_spf.google.com -all
Limitation: Only validates the envelope From (Return-Path), not the display From.
DKIM
Full name: DomainKeys Identified Mail
Type: DNS TXT record (public key)
What it does: Sending MTA cryptographically signs outgoing email headers using a private key. Receiving MTA verifies the signature using the published public key.
How checked: MTA hashes the selected headers, decrypts the signature with the public DNS key, compares them. Match = headers unmodified in transit.
Gives you: Integrity — proves headers were not tampered with in transit.
Note: Can replace or supplement SPF. Signs on behalf of the server, not the individual user.
DMARC
Full name: Domain-Based Message Authentication, Reporting & Conformance
Type: DNS TXT record (policy)
What it does: Defines what the receiving MTA should do when SPF or DKIM checks fail: none, quarantine, or reject. Also requests failure reports back to the domain owner.
Works with: SPF alone, DKIM alone, or both together.
Enforcement: Closes the loophole where SPF/DKIM pass but the display From is spoofed — DMARC aligns the authentication result with the displayed domain.

How DMARC enforces the authentication chain

Authorised sender (green path)
Sender MTA adds SPF/DKIM headers → message arrives at recipient MTA → MTA looks up DMARC policy + SPF/DKIM records via DNS → authentication passes → message delivered to inbox.
Spoofed sender (red path)
Attacker MTA sends spoofed message → arrives at recipient MTA → MTA checks DMARC policy + SPF/DKIM → authentication fails (wrong IP, missing signature, domain mismatch) → message rejected, quarantined, or flagged per DMARC policy.

Cousin domains — what SPF/DKIM/DMARC cannot stop

A cousin domain is a DNS domain that looks visually similar to a legitimate domain when rendered in a mail client. An attacker registers the cousin domain, correctly configures its own SPF/DKIM/DMARC records, and sends email from it — which passes all authentication checks because it is, technically, a legitimate domain. It is just a different one from the real organisation.

diontraining.com vs diontrainimg.com Last 'n' swapped for 'm'
diontraining.com vs diontraning.com One 'i' dropped
support@diontraining.com vs support@deiontranimg.com Multiple character substitutions
DMARC blind spot: SPF, DKIM, and DMARC all pass for a properly configured cousin domain — because the email really does come from that domain. The only defence is user training (verify the exact spelling) and automated cousin-domain monitoring that flags newly registered domains similar to yours.
6

SMTP Log Analysis

SMTP logs record every transaction between mail servers in a request/response format. Each log entry captures the timestamp, sender/recipient address, message size, and a numeric status code. Reading these logs lets you trace where a message came from, whether it was accepted, and why it might have been rejected.

SMTP status codes

CodeMeaningDirectionNotes
220 ★ exam Service ready Server → client Server is ready to accept commands. First response in every SMTP session.
250 ★ exam Message accepted / OK Server → client Confirms successful receipt of a command or message. Most common code in a healthy log.
221 Goodbye / session closing Server → client Sent after QUIT command. Session ends.
354 Start mail input Server → client Server ready to receive the DATA (message body). Sent after the DATA command.
421 Service not available Server → client Server is down or cannot process right now. Client will typically retry.
450 Mailbox unavailable Server → client Cannot access the mailbox — may not exist, may have permission issues.
451 Local processing error Server → client Server aborted due to an internal error. Usually temporary.
452 Insufficient storage Server → client Server disk is full. Large attachments may trigger this.
530 Authentication required Server → client Server refused the connection — client did not authenticate. Key indicator that a spoofed send was blocked by a properly secured server (no open relay).

Reading an SMTP log — annotated walkthrough

smtpd log — normal mail receipt + analysis
# Each line: daemon | log entry | date | time | peer IP | message

SENT: 220 ← Our server says "I am ready" to the connecting client
RCVD: from smtp.openmail.foo ← Connecting server identified itself
SENT: 250 ← Accepted the EHLO/HELO greeting

RCVD: MAIL FROM: getrich@bitminer.foo ← SUSPICIOUS sender domain
SENT: 250 size=20480000 authenticated OK
↑ Server accepted it — now review sam's mailbox contents

RCVD: RCPT TO: sam@515support.com ← Intended recipient
SENT: 250 OK
RCVD: DATA
SENT: 354 ← "Go ahead, send the message body"
SENT: 250 queued ← Message body accepted and queued for delivery
RCVD: QUIT
SENT: 221 ← Goodbye — session ends

# ─────── SEPARATE SESSION: blocked spoofing attempt ───────
RCVD: MAIL FROM: bobby@515support.com ← attacker pretending to be Bobby
SENT: 530 Authentication required
↑ Server rejected it — attacker never authenticated as Bobby
↑ Bobby receives an NDR (non-delivery report) → should report to security
When reading SMTP logs for the exam, focus on the status codes. The 220 / 250 pair is the normal healthy conversation. A 530 means someone tried to send unauthenticated — investigate who they were pretending to be. Suspicious sender domains (bitminer.foo, getrich@) combined with a 250 acceptance mean that email reached the recipient — check their mailbox and warn them.
Exam priority codes: Know 220 (server ready), 250 (accepted), and the general meaning of the 4xx range (errors). You do not need to memorise every code — but you should recognise 220 and 250 instantly, and understand that a 530 means unauthenticated rejection. The exam may show you a log snippet and ask whether the email was delivered, rejected, or indicates a spoofing attempt.
7

S/MIME — Digital Signatures & Encryption

S/MIME (Secure/Multipurpose Internet Mail Extensions) adds end-to-end cryptographic security to email using public key infrastructure. Each user is issued a digital certificate containing their public key. S/MIME provides two distinct security properties — and it is important to understand which key does what.

Integrity & non-repudiation (digital signature)
1.Sender hashes the message body.
2.Sender encrypts the hash with their private key → this is the digital signature.
3.Sender transmits: [plaintext message] + [encrypted hash].
4.Recipient decrypts the hash using the sender's public key.
5.Recipient hashes the received message independently and compares. Match = message not tampered with (integrity).
6.Only the sender's private key could have produced the signature → non-repudiation.

Note: the message body travels in plaintext — anyone who intercepts it can read it. This gives integrity, not confidentiality.

Confidentiality (encryption)
1.Sender encrypts the message using the recipient's public key.
2.Encrypted message is transmitted — even the sender cannot read it at this point.
3.Only the recipient's private key can decrypt the message.
4.Even if intercepted in transit, the ciphertext is unreadable without the recipient's private key.

In practice both are combined: the message body is encrypted with the recipient's public key (confidentiality), and the hash is signed with the sender's private key (integrity + non-repudiation).

The key rule — which key does what

Encrypt with private key
→ Anyone can decrypt
Used for digital signatures. Encrypting with your private key proves only you could have created it — anyone with your public key can verify it. Provides authentication and non-repudiation. Does NOT provide confidentiality.
Encrypt with recipient's public key
→ Only recipient can decrypt
Used for confidentiality. Only the recipient's private key can decrypt the message. Even the sender cannot read the ciphertext after encrypting. Provides confidentiality. Does NOT by itself prove who sent it.

S/MIME visual indicators in email clients

Valid signature
Ribbon / seal icon
A small ribbon or seal icon displayed next to the message. The client has verified the digital signature: the hash computed from the received message matches the decrypted signature. Message was not altered in transit and came from the stated sender.
Invalid / missing signature
Red X icon
A red X or warning indicator. Either no digital certificate was attached, the hash values don't match (message was altered), or the signing certificate is untrusted/expired. The message's authenticity cannot be guaranteed.
S/MIME vs SPF/DKIM: SPF and DKIM authenticate at the server level — they prove the sending mail server is authorised. S/MIME authenticates at the user level — it proves a specific person signed a specific message with their unique private key. They are complementary, not redundant.

Exam

Quick Reference Cheat Sheet

Attack escalation
Spam = bulk/untargeted. Phishing = impersonation + pretext. Spear phishing = targeted individual/org. Whaling = C-level target. BEC = attacker controls real account (authenticated). Email spoofing = forged sender (not authenticated).
Email flow acronyms
MUA = Mail User Agent (client). MDA = Mail Delivery Agent (local server, stores mail). MTA = Message Transfer Agent (routes between servers). Every MTA hop adds a Received: header line.
Three From fields
Display From = visible, fully attacker-controlled (friendly name). Return-Path/Envelope From = hidden, bounce address, reveals true infrastructure. Received: = hidden, read bottom-up for true origin.
Header analysis method
1) Authentication-Results first (check header.from vs smtp.mailfrom). 2) Received: lines bottom-up (true origin = lowest entry). 3) Subject line for alarm/urgency pretext. 4) Return-Path for real infrastructure. Tool: testconnectivity.microsoft.com.
MIME payloads
MIME = not malicious by itself. Weaponised as: HTML exploits (execute on preview), file attachments (virus/worm), embedded links (display text ≠ real URL). Plain text email = cannot carry exploits. Always check raw URL before clicking.
SPF / DKIM / DMARC
SPF = DNS TXT — lists authorised sending IPs for the domain (one record per domain). DKIM = DNS TXT — cryptographic signature by MTA, proves headers unmodified. DMARC = DNS TXT — policy: what to do when SPF/DKIM fail (none/quarantine/reject).
Cousin domains
Visually similar domain (diontrainimg.com vs diontraining.com). Passes ALL authentication checks because it's a real, properly configured domain — just a different one. Only defence: user awareness + domain monitoring.
SMTP codes (exam focus)
220 = server ready (★ know this). 250 = accepted/OK (★ know this). 221 = goodbye. 354 = start message body. 421 = service unavailable. 450 = mailbox unavailable. 452 = storage full. 530 = authentication required (spoofing blocked).
S/MIME key rules
Sign with private key → anyone verifies with public key = non-repudiation + integrity. Encrypt with recipient's public key → only their private key decrypts = confidentiality. Both together = integrity + non-repudiation + confidentiality.
Open relay
A mail server that accepts and forwards email from any sender without authentication. Attackers abuse open relays to send spoofed email. Properly secured servers require SMTP authentication (code 530 if missing). Open relay = misconfigured server.