{"id":19003,"date":"2021-10-22T22:27:04","date_gmt":"2021-10-22T18:27:04","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/analyzing-mail-header\/19003\/"},"modified":"2021-10-22T22:27:21","modified_gmt":"2021-10-22T18:27:21","slug":"analyzing-mail-header","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/analyzing-mail-header\/19003\/","title":{"rendered":"How to analyze a suspicious e-mail"},"content":{"rendered":"<p>The signs of phishing can be obvious \u2014 <a href=\"https:\/\/www.kaspersky.com\/blog\/google-script-phishing\/40795\/\" target=\"_blank\" rel=\"noopener nofollow\">a mismatch between the sender\u2019s address and that of their supposed company<\/a>, <a href=\"https:\/\/www.kaspersky.com\/blog\/office-phishing-html-attachment\/39446\/\" target=\"_blank\" rel=\"noopener nofollow\">logical inconsistencies<\/a>, <a href=\"https:\/\/www.kaspersky.com\/blog\/adobe-online-imitation\/40510\/\" target=\"_blank\" rel=\"noopener nofollow\">notifications that appear to come from online services<\/a> \u2014 but spotting a fake isn\u2019t always so easy. One way to make a fake look more convincing is to tamper with the visible field containing the e-mail address.<\/p>\n<p>The technique is fairly uncommon in cases of mass phishing, but we see it quite a bit more in targeted messaging. If a message looks real, but you doubt the sender\u2019s authenticity, try digging a little deeper and checking the <em>Received<\/em> header. This post describes how.<\/p>\n<h2>Reasons to doubt<\/h2>\n<p>Any strange request is a clear red flag. For example, an e-mail that asks you to do something outside your work role or perform any nonstandard action warrants a closer look, especially if it claims to be important (<em>personal demand from the CEO!<\/em>) or urgent (<em>must be paid within two hours!<\/em>). <a href=\"https:\/\/www.kaspersky.com\/blog\/phishing-psychology\/25440\/\" target=\"_blank\" rel=\"noopener nofollow\">Those are standard phishing tricks<\/a>. You should also be wary if you are asked to:<\/p>\n<ul>\n<li>Follow a link in the e-mail to an external website that requests your credentials or payment information;<\/li>\n<li>Download and open a file (particularly an executable file);<\/li>\n<li>Carry out actions related to monetary transfers or access to systems or services.<\/li>\n<\/ul>\n<h2>How to find e-mail headers<\/h2>\n<p>Unfortunately, the visible <em>From<\/em> field is easy to spoof. The <em>Received<\/em> header, however, should show the sender\u2019s real domain. You can find this header in any mail client. Here, we\u2019re using Microsoft Outlook as an example because of its widespread use in modern business. The process should not be radically different in another client, however; if you use one you can consult the help documentation or try to find the headers yourself.<\/p>\n<p>In Microsoft Outlook:<\/p>\n<ol>\n<li>Open the message you want to check;<\/li>\n<li>On the File tab, select <em>Properties<\/em>;<\/li>\n<li>In the Properties window that opens, find the Received field in the Internet headers section.<\/li>\n<\/ol>\n<p>Before reaching the recipient, an e-mail can pass through more than one intermediate node, so you may see several Received fields. You\u2019re looking for the lowest one, which contains information about the original sender. It should look something like this:<\/p>\n<div id=\"attachment_42667\" style=\"width: 385px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2021\/10\/22222712\/analyzing-mail-header-received.png\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-42667\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2021\/10\/22222712\/analyzing-mail-header-received.png\" alt=\"Received header\" width=\"375\" height=\"106\" class=\"size-full wp-image-19004\"><\/a><p id=\"caption-attachment-42667\" class=\"wp-caption-text\">Received header<\/p><\/div>\n<h2>How to check domain from the <em>Received<\/em> header<\/h2>\n<p>The easiest way to make use of the <em>Received<\/em> header is to use our <a href=\"https:\/\/opentip.kaspersky.com\/?icid=me-en_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder_______&amp;utm_source=kdaily&amp;utm_medium=blog&amp;utm_campaign=ae_wpplaceholder_nv0092&amp;utm_content=link&amp;utm_term=ae_kdaily_organic_ghkzib92nimobq1\" target=\"_blank\" rel=\"noopener nofollow\">Threat Intelligence Portal<\/a>. Some of its features are free, meaning you can use them without registering.<\/p>\n<p>To check the address, copy it, go to <a href=\"https:\/\/opentip.kaspersky.com\/?icid=me-en_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder_______&amp;utm_source=kdaily&amp;utm_medium=blog&amp;utm_campaign=ae_wpplaceholder_nv0092&amp;utm_content=link&amp;utm_term=ae_kdaily_organic_ghkzib92nimobq1\" target=\"_blank\" rel=\"noopener nofollow\">Kaspersky Threat Intelligence Portal<\/a>, paste it into the search box on the Lookup tab, and click <em>Look up<\/em>. The portal will return all available information about the domain, its reputation, and WHOIS details. The output should look something like this:<\/p>\n<div id=\"attachment_42666\" style=\"width: 1492px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2021\/10\/22222717\/analyzing-mail-header-openTIP.png\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-42666\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2021\/10\/22222717\/analyzing-mail-header-openTIP.png\" alt=\"Information from Kaspersky Threat Intelligence Portal\" width=\"1482\" height=\"735\" class=\"size-full wp-image-19006\"><\/a><p id=\"caption-attachment-42666\" class=\"wp-caption-text\">Information from Kaspersky Threat Intelligence Portal<\/p><\/div>\n<p>The very first line will probably display a \u201cGood\u201d verdict or \u201cUncategorized\u201d sign. That just means our systems haven\u2019t previously seen this domain used for criminal purposes. When preparing a targeted attack, attackers can register a fresh domain or use a breached legitimate domain with a good reputation. Carefully check the organization to which the domain is registered to see if it matches the one that the sender supposedly represents. An employee of a partner company in Switzerland, for example, is unlikely to send an e-mail through an unknown domain registered in Malaysia.<\/p>\n<p>Incidentally, it\u2019s a good idea to use our portal to check links in the e-mail as well, if they seem dubious, and use the File Analysis tab to check any message attachments.<\/p>\n<p>Kaspersky Threat Intelligence Portal has lots of other useful features, but most are available only to registered users. For more information about the service, see the <a href=\"https:\/\/opentip.kaspersky.com\/?icid=me-en_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder_______&amp;utm_source=kdaily&amp;utm_medium=blog&amp;utm_campaign=ae_wpplaceholder_nv0092&amp;utm_content=link&amp;utm_term=ae_kdaily_organic_ghkzib92nimobq1\" target=\"_blank\" rel=\"noopener nofollow\">About the Portal tab<\/a>.<\/p>\n<h2>Protection against phishing and malicious e-mails<\/h2>\n<p>Although checking suspicious e-mails is a good idea, keeping phishing emails from even reaching end users is better. Therefore, we always recommend installing antiphishing solutions at the <a href=\"https:\/\/app.appsflyer.com\/id1053144160?pid=smm&amp;c=me-en_kdailyplaceholder\" target=\"_blank\" rel=\"noopener nofollow\">corporate mail server<\/a> level.<\/p>\n<p>Additionally, a <a href=\"https:\/\/me-en.kaspersky.com\/small-to-medium-business-security?icid=me-en_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder_______\" target=\"_blank\" rel=\"noopener\">solution with antiphishing protection<\/a> running on workstations will block redirects through phishing links, in case the e-mail creators fool the recipient.<\/p>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"kesb-trial\">\n","protected":false},"excerpt":{"rendered":"<p>If you receive an e-mail of dubious authenticity, analyze it yourself. Here&#8217;s how. <\/p>\n","protected":false},"author":2685,"featured_media":19008,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1318,1917],"tags":[584,2095,2513,76],"class_list":{"0":"post-19003","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-smb","9":"tag-analysis","10":"tag-mail","11":"tag-open","12":"tag-phishing"},"hreflang":[{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/analyzing-mail-header\/19003\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/analyzing-mail-header\/23519\/"},{"hreflang":"ar","url":"https:\/\/me.kaspersky.com\/blog\/analyzing-mail-header\/9527\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/analyzing-mail-header\/25608\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/analyzing-mail-header\/23672\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/analyzing-mail-header\/23171\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/analyzing-mail-header\/26307\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/analyzing-mail-header\/25840\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/analyzing-mail-header\/31779\/"},{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/analyzing-mail-header\/10196\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/analyzing-mail-header\/42665\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/analyzing-mail-header\/17973\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/analyzing-mail-header\/18341\/"},{"hreflang":"pl","url":"https:\/\/plblog.kaspersky.com\/analyzing-mail-header\/15447\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/analyzing-mail-header\/27635\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/analyzing-mail-header\/31892\/"},{"hreflang":"nl","url":"https:\/\/www.kaspersky.nl\/blog\/analyzing-mail-header\/27768\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/analyzing-mail-header\/24509\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/analyzing-mail-header\/29871\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/analyzing-mail-header\/29673\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/me-en.kaspersky.com\/blog\/tag\/phishing\/","name":"phishing"},"_links":{"self":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/19003","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2685"}],"replies":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=19003"}],"version-history":[{"count":2,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/19003\/revisions"}],"predecessor-version":[{"id":19007,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/19003\/revisions\/19007"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/19008"}],"wp:attachment":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=19003"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=19003"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=19003"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}