Investigating Phishing with OSINT

When we are investigating a Phishing attack, it can happen that the malicious link inside of it is currently unavailable. But, fortunatelly to us, that are some ways to trace back how the links are.

First of all, let’s remember that Phishing is involved in a attack chain, on the Cyber Kill Chain, it’s part of the Delivery phase, and on the MITRE ATT&CK, it’s a technique of the Initial Access tactic.

So, according to the technique on MITRE ATT&CK: “Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.”

The page about this technique also descibes two ways which this kind of scam can occur: “Adversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems.”

With that being said, we can see a Phishing message with a malicious link, and, when opened it in a sandbox, we deal with a HTML page with a 404 status, indicating that the page isn’t found. Let’s see an example with a PayPal scam.

In this case, we can search if this URL was already submitted on URLscan. If we, for example, tried to access the URL www.paypaldetails.com, it will be unavailable, but if we search the domain on URLscan, we can find results showing how the page was.

We can even have access to the source code of the page, to enumerate other pages or others domains associated to it.

Another common scam is with a fake Outlook login, since it’s easy to perform a reconnaissance to identify the email service assocociated to a business domain, as demonstrated in this video that I recorded. Outlook is also commonly used due to Azure AD (ooops… Entra ID).

In this example, we can see that the URL msnn-outlok365.hstn.me, now unavailable, can be seen in URLscan.

Another that can be used to investigate URLs that are unavailable is search for the DNS history and WHOIS history.

In the PayPal scam example, using SecurityTrails, we can see that the domain paypaldetails.com was associated to Network Solutions LLC for 9 years, during 2011 an 2019. After that, the an address was associated to this domain again in 2024–06–19, this time, with the organization Liquid Web, L.L.C.

With Whoxy we can see the history of WHOIS registration. In this case, that’s just one registration, in June 2024, which is associated to a person from Nigeria, and it’s is even possible to get the person’s email address.

The malicious link can also be used to download a malware, instead to be a fake login page used to steal credentials.

The phishing emails can have no malicious link, but can have malicious attachments inside of it, which, if executed, can compromise the machine.

If you are unable to execute the attachment and want to know about its behaviour, it’s possible to search about it in sandboxes. To name some of them, there’s Any.Run and Triage. In both of them, there’s an option to search by some tag associated to the file on even by the hash.

One good thing about these two sandboxes it’s the possibility to interact with the machine while the uploaded sample is running, so it can test different situations to monitor the behavior. After that, a report is available with the results.

This were some examples about how to use OSINT to investigate Phishing emails, in special, if the content is not available at the moment.