astronomican

Suspicious emails or messages are often filtered out and don’t appear in my email inbox but in the client’s spam folder. However, if there are emails that catch my interest or if a suspicious-looking email does make it through into my inbox, I view the original raw message to examine the email headers, looking for telltale signs of malicious content or intent. I continue with reviewing the email body. Under all circumstances, I avoid double-clicking on an email attachment or opening any included hyperlinks unless I’m confident they aren’t malicious.

Characteristics I look out for include urgency, poor grammar and/or typos, spoofed email addresses, HTML designed to impersonate a legitimate brand, link manipulation, and attachments.

Tools like PhishTool (https://www.phishtool.com/) and other utilities such as https://mailheader.org/ can assist in the analysis. However, I rarely delve deeply into these tools and instead discard what appears suspicious rather quickly. If curiosity takes over, I use the mentioned tools and check the sender’s IP address with https://ipinfo.io/, for instance, or run a quick reputation check at https://talosintelligence.com/reputation. There’s a lot that can be done in handling suspicious emails, but the first and most important step is for the warning bell to go off before clicking or downloading anything. Suspicion must kick in prior to any potential harm.

In the event that an attachment needs further examination, I would create a hash of the attachment and verify it with VirusTotal to see if it has been flagged as potentially malicious or overwhelmingly safe. However, the results do not guarantee that I would blindly open the attachment. If my gut feeling persists because the entire message is unsolicited, I won’t open the file and will simply discard the message altogether.