# Email Crafting: Designing Deceptive Messages That Mimic Trusted Sources

## Introduction

Email crafting is the core skill in phishing attacks. It’s where reconnaissance data transforms into action, where psychological understanding meets technical execution, and where the success or failure of an entire campaign is determined. A well-crafted phishing email can bypass sophisticated technical controls by exploiting the one vulnerability present in every organization: human trust.

This phase combines social engineering principles, technical knowledge of email systems, and creative deception to create messages that recipients believe are legitimate. Understanding how attackers craft these messages is essential for recognizing and defending against them.

## The Anatomy of a Phishing Email

### 1. The Sender

**Display Name Manipulation:**

The “From” field is often the first thing recipients check, making it the most critical element to manipulate convincingly.

**Techniques:**
– **Exact impersonation:** “IT Department ” using lookalike domains
– **Authority spoofing:** “CEO John Smith ”
– **Trusted brand abuse:** “PayPal Security ” (note the “1” instead of “l”)
– **Internal spoofing:** Exploiting misconfigured SPF/DMARC to appear internal

**Example:**
> Instead of the real “support@microsoft.com”, attackers use:
> – “support@micros0ft.com” (zero instead of ‘o’)
> – “support@microsoft-security.com” (legitimate-looking subdomain)
> – “Microsoft Support ”

### 2. The Subject Line

Subject lines must balance urgency with believability. Too alarming raises suspicion; too mundane gets ignored.

**Effective Subject Line Formulas:**

**Urgency-based:**
– “URGENT: Your account will be suspended in 24 hours”
– “Action Required: Unusual sign-in activity detected”
– “Final Notice: Invoice #4851 overdue”

**Curiosity-based:**
– “You’ve been mentioned in a document”
– “Someone shared a file with you”
– “Your package delivery failed”

**Authority-based:**
– “IT Security Update Required – Mandatory”
– “HR: Complete your annual compliance training”
– “CEO: Q4 Performance Review Meeting”

**Familiarity-based:**
– “RE: Meeting follow-up” (implies ongoing conversation)
– “FW: Budget proposal for your review”
– “Quick question about the project”

### 3. The Body Content

**Opening/Greeting:**

**Generic (bulk phishing):**
– “Dear Customer,”
– “Dear User,”
– “Hello,”

**Personalized (spear phishing):**
– “Hi Sarah,” (using researched first name)
– “Good afternoon, Ms. Johnson,” (formal, using title and surname)
– “Hey Mike,” (casual, matching organizational culture)

**The Hook:**

The body must quickly establish credibility and motivation for action:

**Problem/Threat Framework:**
> “We’ve detected suspicious activity on your account from an IP address in Romania. For your security, we’ve temporarily limited your account access. Please verify your identity immediately to restore full functionality.”

**Opportunity Framework:**
> “As a valued customer, you’ve been selected for our exclusive early access program. Click below to claim your benefits before they expire on Friday.”

**Authority Framework:**
> “Per the directive from the CFO, all department heads must complete the attached expense reconciliation form by end of business today. Failure to comply may result in budget allocation delays.”

**Urgency Elements:**

Deadlines and consequences create pressure that reduces critical thinking:
– “Your account will be closed within 24 hours unless…”
– “This offer expires at midnight tonight…”
– “Immediate action required to avoid penalties…”
– “Limited spots available – first come, first served…”

**Trust Indicators:**

Attackers include elements that signal legitimacy:
– Official-looking logos and branding
– Legal disclaimers and privacy notices
– Professional formatting and corporate templates
– Security badges and verification symbols
– Accurate company information (researched via OSINT)

### 4. The Call to Action (CTA)

The CTA directs the victim toward the attacker’s objective:

**Common CTAs:**

**Credential Harvesting:**
– “Verify Your Account” → Links to fake login page
– “Update Your Password” → Credential capture form
– “Confirm Your Information” → Data collection page

**Malware Delivery:**
– “Download Your Invoice” → Malicious attachment
– “View Shared Document” → Weaponized file
– “Install Security Update” → Malware installer

**Information Gathering:**
– “Complete This Survey” → Reconnaissance questionnaire
– “Update Your Profile” → Social engineering data collection
– “Confirm Shipping Details” → Personal information theft

**Financial Fraud:**
– “Process This Payment” → Wire transfer scam
– “Update Payment Method” → Credit card harvesting
– “Approve This Transaction” → Business email compromise

**Example Scenario:**

> **Subject:** IT Security: Mandatory Password Update Required
>
> **From:** IT Security Team
>
> **Body:**
> Dear Employee,
>
> As part of our ongoing security improvements following the recent industry-wide cyberattack, all employees must update their passwords using our new secure password portal.
>
> **You must complete this update by 5:00 PM today to maintain access to your account.**
>
> Click here to update your password: [Update Password Now]
>
> This is a mandatory security measure. Accounts that are not updated will be automatically locked for security purposes.
>
> Thank you for your cooperation in keeping our company secure.
>
> IT Security Team
> Internal IT Department
> Company Name | Protecting Your Digital Assets

This email combines multiple persuasion techniques:
– Authority (IT Security Team)
– Urgency (deadline today)
– Fear (account will be locked)
– Social proof (industry-wide cyberattack)
– Legitimacy (professional formatting, security language)

## Email Crafting Techniques

### Pretexting

Creating a believable scenario that justifies the request:

**Common Pretexts:**
– **IT emergencies:** System updates, security patches, account verification
– **HR matters:** Benefits enrollment, policy updates, training requirements
– **Financial urgency:** Vendor payments, invoice disputes, tax forms
– **Executive requests:** Urgent tasks from leadership (CEO fraud)
– **External events:** Tax season, holidays, industry conferences

### Personalization Strategies

**Basic Personalization:**
– Using target’s real name
– Referencing their job title or department
– Mentioning their company name

**Advanced Personalization:**
– Recent company news or events
– Specific projects or initiatives
– Known vendors or partners
– Colleague names and relationships
– Travel schedules or out-of-office periods
– Recent purchases or activities

### Emotional Manipulation

**Fear:**
– Account compromise warnings
– Legal threats or compliance violations
– Job security implications
– Financial loss scenarios

**Greed:**
– Exclusive offers or bonuses
– Unexpected refunds
– Prize winnings
– Investment opportunities

**Curiosity:**
– Mysterious shared documents
– Unusual account activity (non-threatening)
– Personal mentions or references
– “Someone is trying to contact you”

**Obligation:**
– Requests from authority figures
– Helping a colleague in need
– Completing required tasks
– Reciprocating past favors

### Technical Crafting Elements

**HTML and Formatting:**
– Professional templates matching legitimate emails
– Proper logo usage and branding
– Responsive design for mobile devices
– Hidden text and misleading anchor links

**Link Obfuscation:**
– **Display text mismatch:** Shows “https://paypal.com” but links to “http://paypa1.com”
– **URL shorteners:** bit.ly, tinyurl hiding true destination
– **Homograph attacks:** Using Unicode characters that look identical (e.g., Cyrillic ‘а’ vs Latin ‘a’)
– **Subdomain tricks:** “paypal.com.phishing-site.com” or “secure-paypal.com”

**Attachment Tactics:**
– Familiar file types (PDF, DOCX, XLSX)
– Convincing filenames: “Invoice_2024_Q4.pdf”
– Double extensions: “report.pdf.exe” (hidden in Windows by default)
– Macro-enabled documents: “Enable Editing to view this document”
– ZIP password protection (to bypass email scanners)

## Anti-Detection Strategies

### Bypassing Email Filters

**Content Obfuscation:**
– Replacing letters with numbers or symbols (l33t speak)
– Using images instead of text
– Breaking up suspicious keywords
– Strategic misspellings

**Attachment Evasion:**
– Password-protected archives
– Steganography (hiding malware in images)
– Using legitimate cloud storage links
– Delayed execution malware

**Domain Reputation:**
– Using newly registered domains
– Compromising legitimate websites for hosting
– Using free email providers with good reputation
– Rotating through multiple sending domains

### Avoiding Spam Folders

**Technical Compliance:**
– Proper email headers and authentication
– Valid SPF, DKIM signatures (from compromised accounts)
– Clean sender reputation
– Avoiding spam trigger words

**Timing and Volume:**
– Sending during business hours
– Limiting send volume to avoid rate limiting
– Spacing out attacks over time
– Targeting specific time zones

## Defense and Detection

### For Individuals

**Verification Practices:**
– **Hover before clicking:** Check actual URL destination
– **Verify sender:** Contact sender through known channels
– **Question urgency:** Legitimate requests rarely require instant action
– **Check for personalization:** Generic greetings are red flags
– **Look for errors:** Typos, grammar issues, formatting problems

**Technical Safeguards:**
– Display full email headers
– Use email clients that show actual URLs
– Enable spam filtering and anti-phishing tools
– Report suspicious emails to IT/security team

### For Organizations

**Email Security Controls:**
– **SPF, DKIM, DMARC implementation:** Prevent sender spoofing
– **Link wrapping and sandboxing:** Inspect URLs before delivery
– **Attachment scanning:** Multiple anti-malware engines
– **Banner warnings:** Flag external emails clearly
– **URL rewriting:** Route clicks through security analysis

**Security Awareness Training:**
– Regular phishing simulations
– Real-world examples and analysis
– Reporting procedures and encouragement
– No-penalty reporting culture

**Technical Indicators:**
– Emails with urgent calls to action
– Requests for credentials or sensitive information
– Unexpected attachments from unknown senders
– Slight misspellings in domain names
– Mismatched sender and reply-to addresses
– Suspicious link destinations

## Red Flags in Phishing Emails

**Header Red Flags:**
– Display name doesn’t match email address
– “Reply-To” differs from “From” address
– Unusual sending time (3 AM for local organization)
– Multiple recipients in BCC

**Content Red Flags:**
– Generic greetings (“Dear Customer”)
– Spelling and grammar errors
– Inconsistent branding or formatting
– Threats or extreme urgency
– Requests for sensitive information via email
– Unsolicited attachments

**Technical Red Flags:**
– HTTP instead of HTTPS in links
– Shortened URLs or obfuscated links
– Hover text doesn’t match visible text
– Forms requesting passwords or SSN
– Links to IP addresses instead of domain names

## The Evolution of Email Crafting

**Traditional Phishing (Early 2000s):**
– Generic, mass-produced emails
– Poor grammar and obvious errors
– Crude impersonation attempts
– Easy to spot and filter

**Modern Spear Phishing (Current):**
– Highly personalized and researched
– Professional quality and formatting
– Context-aware and timely
– Leverages real business processes
– Exploits human relationships

**AI-Enhanced Crafting (Emerging):**
– Natural language generation for perfect grammar
– Personality matching and style mimicry
– Real-time adaptation based on responses
– Automated OSINT integration
– Multi-language fluency

## Case Study: Business Email Compromise (BEC)

A finance manager receives an email:

**Subject:** URGENT: Wire Transfer Needed Today

**From:** CEO Sarah Chen

**Body:**
> Hi Rebecca,
>
> I’m currently meeting with potential investors and we need to move quickly on an acquisition opportunity that just came up. I need you to process a wire transfer for $250,000 to the following account today.
>
> This is time-sensitive and confidential – please don’t discuss with anyone else until the announcement next week.
>
> Account details:
> [Account information]
>
> Can you confirm once it’s sent? I’m in back-to-back meetings but checking email periodically.
>
> Thanks,
> Sarah

**Why this works:**
– Authority (CEO request)
– Urgency (time-sensitive)
– Secrecy (don’t verify with others)
– Plausibility (CEO traveling, acquisitions happen)
– Pressure (waiting for confirmation)

**Red flags:**
– Domain slightly off (company-exec vs company.com)
– Request via email instead of established procedures
– Unusual secrecy around financial transaction
– Urgency prevents normal verification

## Related Concepts

– [Social Engineering](../glossary/social-engineering.md)
– [Pretexting](../glossary/pretexting.md)
– [Spear Phishing](../glossary/spear-phishing.md)
– [Business Email Compromise](../glossary/business-email-compromise.md)
– [Domain Spoofing](../glossary/domain-spoofing.md)

## References

– Anti-Phishing Working Group (APWG) – Phishing Activity Trends Reports
– FBI Internet Crime Complaint Center (IC3) – BEC Statistics
– NIST Special Publication 800-177: Trustworthy Email
– Verizon Data Breach Investigations Report – Social Engineering Analysis
– “Social Engineering: The Science of Human Hacking” by Christopher Hadnagy

—

**Educational Purpose:** This content is provided for awareness and defensive purposes. Understanding email crafting techniques helps individuals and organizations recognize and defend against phishing attacks.

What are UTM Parameters?

UTM parameters are tags added to a URL that help track the performance of campaigns and content across the web. Originally developed by Urchin Software Corporation, which was later acquired by Google, UTM parameters are now a standard feature in Google Analytics and many other web analytics tools. These parameters allow marketers and analysts to understand the source, medium, campaign name, and other details about how users interact with a link.

A typical URL with UTM parameters might look like this:

In this example:

• utm_source=newsletter
  identifies the source of the traffic as a newsletter.
• utm_medium=email
  indicates the medium through which the link was delivered.
• utm_campaign=spring_sale
  specifies the campaign associated with the link.

By appending these parameters to URLs, organizations can gain granular insights into how different marketing efforts are performing.

UTM Parameters in Phishing Campaigns

UTM parameters can significantly enhance your phishing campaign by providing detailed tracking and analytics, which are crucial for evaluating the effectiveness of the campaign and understanding user behavior.

Here’s how UTM parameters can be applied:

1. Tracking Email Opens and Clicks:
   • By embedding UTM parameters in the links within phishing emails, organizations can track how many recipients opened the email and clicked on the link. This data helps measure engagement and identify which messages are most compelling.
2. Segmenting User Interaction:
   • UTM parameters allow for segmentation of users based on their interaction with the phishing message. For example, different UTM tags can be used for various departments or job roles, enabling targeted analysis and reporting.
3. Assessing Campaign Effectiveness:
   • Detailed insights from UTM parameters help assess the overall effectiveness of the campaign. Organizations can analyze which types of phishing emails are more likely to deceive employees and tailor their training programs accordingly.
4. Providing Feedback and Metrics:
   • UTM parameters can also be used to provide personalized feedback to employees who interacted with the phishing email. For instance, those who clicked on the link can be directed to a landing page with educational content that explains the phishing attempt and offers tips for identifying such threats in the future.

Best Practices for UTM

To maximize the benefits of UTM parameters in phishing campaigns, it’s essential to follow best practices. Here are some key recommendations:

1. Define Clear Naming Conventions:
   • Establish a consistent naming convention for UTM parameters to ensure data is easily understandable and analyzable. For example, use
     utm_source=internal
     instead of
     utm_source=phishing_sim
     to avoid raising suspicion.
2. Use Subtle Campaign Names:
   • Campaign names (
     utm_campaign
     ) should be subtle and not give away the original nature of the message. Instead of
     utm_campaign=phishing
     , use something less conspicuous like
     utm_campaign=q3_update
     .
3. Segment by Target Audience:
   • Utilize UTM parameters to segment the audience by department, role, or other criteria. This segmentation helps tailor the analysis and training to specific groups. For instance,
     utm_term=project_alpha
     can be used instead of a specific department name.
4. Incorporate Multiple Parameters:
   • Leverage multiple UTM parameters to capture comprehensive data. Combining
     utm_source
     ,
     utm_medium
     ,
     utm_campaign
     ,
     utm_term
     , and
     utm_content
     provides a detailed view of user interactions. For example,
     utm_content=doc_link
     versus
     utm_content=profile_link
     can differentiate between multiple links within the same email without being overly descriptive.
5. Integrate with Analytics Tools:
   • Ensure that UTM-tagged URLs are integrated with your web analytics tools, such as Google Analytics. This integration allows for seamless tracking and reporting of campaign performance.
6. Educate and Inform:
   • Use the data gathered from UTM parameters to educate employees. Provide feedback on how many people interacted with the phishing email and use this information to reinforce training sessions. Highlight common mistakes and offer tips for identifying phishing attempts.

Obfuscating UTM Parameters

While UTM parameters are invaluable for tracking and analytics, they can also inadvertently reveal the nature of the message if not used discreetly. Here are strategies for obfuscating UTM parameters to ensure the phishing remains effective:

1. Use Generic Terms:
   • Avoid using terms that clearly indicate a phishing message. For instance, replace
     utm_source=phishing
     with
     utm_source=internal_news
     .
2. Randomized or Code-Based Naming:
   • Use randomized strings or codes that don’t immediately suggest a phish. For example,
     utm_campaign=abc123
     can be decoded internally to represent a specific campaign.
3. Contextual but Neutral Naming:
   • Utilize names that fit within the context of the organization’s regular communication but are neutral enough not to raise alarms. For instance,
     utm_medium=update_email
     instead of
     utm_medium=phish_email
     .
4. Consistent but Non-Descriptive Tags:
   • Maintain consistency in your naming conventions across different campaigns while keeping the tags non-descriptive. For example,
     utm_term=phase1
     for the first phase of multiple campaigns.

Examples of Obfuscated UTM Parameter Usage

Let’s consider a practical example of a phishing campaign targeting an organization’s employees. The campaign aims to test the employees’ ability to recognize phishing emails and educate them on best practices without giving away the true intention.

1. Crafting the Phishing Email:
   • The email mimics a common phishing tactic, such as a fake invoice notification or a security alert. The email contains a link that directs users to a phishing page designed to look like a legitimate login page.
2. Adding Obfuscated UTM Parameters to the Link:
   • The URL in the phishing email is tagged with obfuscated UTM parameters:
     
     https://www.fake-login.com?utm_source=internal_news&utm_medium=email&utm_campaign=abc123&utm_term=project_alpha&utm_content=doc_link
3. Launching the Campaign:
   • The phishing email is sent to the targeted employees. Analytics tools track interactions with the email and the tagged URL without employees easily identifying the phish
4. Analyzing the Results:
   • Post-campaign, the analytics data is reviewed. You can see how many employees from the targeted project clicked on the link (
     utm_term=project_alpha
     ) and whether different links within the email had varying levels of engagement (
     utm_content=doc_link
     )
5. Adjusting Future Campaigns:
   • The insights from the UTM parameters inform future campaigns. If the data shows that employees are frequently falling for certain types of phishing emails, the training program can be adjusted to address these weaknesses.

Conclusion

Incorporating UTM parameters into phishing campaigns is a best practice that significantly enhances the effectiveness of these exercises and elevates your game into a truly targeted experience. By providing detailed tracking and analytics, UTM parameters help your organization understand user behavior, assess campaign effectiveness, and deliver targeted messaging. By obfuscating these parameters, organizations can ensure the phishing remains subtle and effective, offering a realistic experience.

Payloads

The goal of any campaign is to have the target initiate their own compromise. With the exception of credential theft, these typically come in the form of executing code from the target’s system. Some of the payloads may be local to the target system, used to exfiltrate data, or simply be avenues for further compromise or remote control.

Here, we’ve provided some of our favorites, this list is by no means exhaustive.

Local Execution

1. Simple Attachments
   Emails with file attachments, such as executables or documents (docx, pdf, etc) containing the payload.
2. Macro-Enabled Documents
   Payload delivered through macros embedded in documents. These would rely on the application (typically the MS-Office Suite) to execute the embedded scripts and automations.
3. Trojan Horse
   The payload disguised as a legitimate file or installation package.
4. Drive-By Downloads
   Links or attachments that trigger automatic payload downloads upon interaction. These are typically web links or HTML documents that trigger in the browser.
5. Keyloggers
   A payload that records keystrokes, capturing login credentials and sensitive information.
6. Browser Extensions
   Payloads in the form of a browser extension used for control and delivery
7. Downloaders and Droppers
   Payloads fetching additional malware from remote servers.
8. Man-in-the-Middle (MitM)
   Payloads that allow for traffic interception such as routing communications through a proxy
9. Password-Protected Zips
   Payloads hidden within password-protected zip files; a type of evasion.

Web Links

1. Links to Payload Sites
   Emails containing links to websites designed to steal login credentials/sensitive data, or deliver the payload through the browser.
2. Embedded Links
   Attachments that contain links to sites with payloads.
3. Credential Harvesting Forms
   Emails with HTML forms prompting users to enter sensitive information.
4. Ads
   Links to compromised ads or websites delivering the payload.

Here at P&C.io, our personal favorites are:
1) the Reverse TCP Shell which, when executed, has the remote workstation establish a connection with our remote TCP listener thus enabling C2 type activity.

2) Good, old-fashioned credential harvesting.

What’s next?

Tools & Materials

To set-up this credential trap, you will need a text editor and a web server. We wouldn’t recommend using anything production-quality as publicizing a credential trap will likely get your domain flagged for suspicious content.

That said, at your own risk.

Sample Code?

Yes, you may find our basic cred-trap, along with other materials from this site, on our GitHub:
https://github.com/PhishAndChips-io/cred-trap

How does it work?

The primary payload is index.html.
You can see a LIVE version here:
https://phishandchips.io/static/cred-trap/

There’s a lot to unpack here.. so let’s go through it.

here, we have some social engineering at play…

1. We have a timer (written in javascript) that says you have 00:30s to act quickly.
2. We have some reassuring message from your IT department–“We’ve added this for your safety“
3. We have a friendly placeholder in the template for a logo as well as a FAVICON— you know, for the really authentic experience.

Behind the Scenes…

Here is our form.. all it’s doing is passing the username and password fields to our submit.php… this file can be hosted anywhere, and if you’re into Evasion, you will place it far away from your index.

Second… check out this countdown timer:

This is pretty boiler-plate stuff… At the end of the countdown, we set the redirect URL to: https://portal.microsoft.com, which should be a login page for Microsoft— this is to simulate “oops, you’ve been logged out”

*NOTE.. if you’re not good with code, you can always ask ChatGPT

Let’s see submit.php

Short story goes… we just receive a POST to page, open data.txt, write the form contents, then redirect the user to portal.microsoft.com anyway–

And that’s it…

The output:

Conclusion

As we have demonstrated… it’s absolutely trivial to create a web form to harvest credentials. Login forms do not actually need to go anywhere or do anything to be effective. With 2x files and 30 lines of code (excluding styles and javascript), we can create an effective credential trap… small, but optional, embellishments complete the social engineering piece.

What’s next?

Head, what?

Email headers, also known as message headers, are a block of text at the beginning of an email that provides essential metadata about the email’s journey. To view an email’s headers, you can usually find an option like “View Message Source” or “Show Original” in your email client.

Here is an example of a RAW header from a pretty bogus-looking message:

What is the meaning of all this?

Let’s break it all down:

Delivered-To: phishandchips.io@gmail.com:

• This field indicates that the email was delivered to the specified Gmail address.

Received: by 2002:a05:7000:704c:b0:518:6939:5a47 with SMTP id t12csp2267847mat; Wed, 20 Sep 2023 20:27:49 -0700 (PDT):

• This line shows the email’s delivery status, mentioning the Gmail server’s IP and timestamp.

X-Google-Smtp-Source: AGHT+IFlYgh6cSUYc5vF0uwuiA/TjmWnfkjBIWVaaOrJm2Fnkjt4x668N5PScciUJJrH8ex14K77:

• This field may contain additional information about the email’s source, possibly for Gmail’s internal tracking purposes.

X-Received: by 2002:aa7:c614:0:b0:530:f880:ca74 with SMTP id h20-20020aa7c614000000b00530f880ca74mr3610809edq.28.1695266869411; Wed, 20 Sep 2023 20:27:49 -0700 (PDT):

• Similar to the second field, this provides information about the email’s receipt and routing.

ARC-Seal: i=2; a=rsa-sha256; t=1695266869; cv=pass; d=google.com; s=arc-20160816; b=XXXXX:

• This field is related to ARC (Authenticated Received Chain), a protocol that helps authenticate email messages. It confirms the email’s integrity.

ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=feedback-id:precedence:subject:cc:message-id:list-unsubscribe:from list-id:list-id:date:mime-version:to; bh=f9JKLxsmxVEDS8HfdQZuiBvO3txjQarfOuTylLcMQdw=; fh=e69IIXWAFhL7Gv60vfGA8nV4JOjkyr9JYr37FBPFklI=; b=XXXX:

• This section is related to ARC and its cryptographic signatures. It verifies the email’s authenticity and integrity.

ARC-Authentication-Results: i=2; mx.google.com; arc=pass (i=1); spf=pass (google.com: domain of postmaster@eur01-ve1-obe.outbound.protection.outlook.com designates 2a01:111:f400:7e01::207 as permitted sender) smtp.helo=EUR01-VE1-obe.outbound.protection.outlook.com:

• This field confirms that the email passed authentication checks, including SPF (Sender Policy Framework).

Return-Path: <>:

• The “Return-Path” is empty, indicating that it’s a bounce or non-delivery notification.

Received: from EUR01-VE1-obe.outbound.protection.outlook.com (mail-ve1eur01lp20207.outbound.protection.outlook.com. [2a01:111:f400:7e01::207])…:

• This line shows that the email originated from an Outlook.com server and provides server information.

Received-SPF: pass (google.com: domain of postmaster@eur01-ve1-obe.outbound.protection.outlook.com designates 2a01:111:f400:7e01::207 as permitted sender) client-ip=2a01:111:f400:7e01::207;:

• SPF passed, indicating that the email sender’s domain (outlook.com) authorized the server’s IP address to send emails on its behalf.

Authentication-Results: mx.google.com; arc=pass (i=1); spf=pass (google.com: domain of postmaster@eur01-ve1-obe.outbound.protection.outlook.com designates 2a01:111:f400:7e01::207 as permitted sender) smtp.helo=EUR01-VE1-obe.outbound.protection.outlook.com:

• This confirms the email’s authentication results, including ARC and SPF.

ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=XXXXX:

• Another ARC-related seal, confirming the authenticity and integrity of the email.

ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=XXXXXX:

• An ARC-related message signature, ensuring the email’s authenticity.

X-MS-Exchange-Authentication-Results: spf=softfail (sender IP is 45.79.81.156) smtp.helo=notes.io; dkim=none (message not signed); arc=none:

• Additional authentication results mentioning SPF softfail, indicating that the email didn’t fully pass SPF checks.

X-MS-Exchange-CrossTenant-OriginalArrivalTime: 21 Sep 2023 03:27:48.1178 (UTC):

• This line shows the original arrival time of the email in Coordinated Universal Time (UTC).

From: SolarBill infoygwszzlnyhfpvdjvpztee@eafdvcsdvc.onmicrosoft.com:

• The “From” field indicates the sender’s name and email address.

Subject: Re::

• The subject line of the email.

Date: Thu, 21 Sep 2023 05:25:05 +0200:

• The date and time when the email was sent.

Cc: phishandchips.io@gmail.com:

• The email address in the “Cc” field, indicating additional recipients.

Content-Type: multipart/alternative; boundary=”36adda4e-755a-4bf6-b3f6-570ea8903171“:

• The content type and boundary information for the email.

The provided email appears to be from “SolarBill” and has passed some authentication checks like SPF and ARC, although there was a SPF soft-fail reported. The header confirms its route and origin from an Outlook.com server.
Would you click on any links in this message? 🙄

At the end of the day, everything we discuss here at P&C is around the attack of the system through the user. We aren’t trying to “hack” computers- an adequately secure system is impossible/improbable to penetrate with our resources (and trust me, we have very few resources).
Instead, it’s better to simply go through the front door and not by busting it down, rather, by being invited in.

Social engineering is a manipulative technique intended to exploit human psychology, trust, and emotions to perform specific actions or to make specific decisions, often to the detriment of the target.

Here are some good ones…

“Trusty Caller”

• Jane, a senior manager at a reputable company, receives a call from “David,” who claims to be the IT department. David explains there’s an urgent security update and asks Jane for her login credentials to ensure her account’s safety. Concerned, Jane shares her details without verifying David’s identity. In reality, it’s a social engineer exploiting trust to gain unauthorized access.

“Friendly Face”

• John, an enthusiastic intern, joins a company. On his first day, Sarah, a seasoned employee, befriends him and offers to show him around. As they chat, Sarah casually asks about the company’s upcoming projects. John, eager to fit in, inadvertently shares confidential information, not realizing that Sarah actually works at a competitor firm.

“Tech Support Scam”

• Mark receives a pop-up message on his computer, warning of a virus and providing a phone number for tech support. Panicked, Mark dials the number and connects with “Lisa,” who claims to be from a reputable tech support company. To resolve the issue, Mark grants Lisa remote access to his computer.

“Emergency Impersonator” Tactic

• Emily receives an urgent email from her boss, “Michael,” requesting a wire transfer for a critical business deal. The email claims that Michael is in a remote location and unable to make the transfer himself. Trusting her boss’s email, Emily quickly initiates the transfer, not realizing that the email came from an imposter.

“Bait and Switch” Tactic

• Alex, an online shopper, receives an email offering a limited-time 90% discount on a popular gadget. Excited, Alex clicks the provided link, which redirects to a convincing e-commerce website. Alex places an order using their credit card information, only to find out later that it was a fake site set up by cybercriminals to steal personal and financial data.

About P&C

Phish & Chips.io is a labor of love from seasoned information security and privacy enthusiasts. Although we provide some resources around engineering technical exploits and navigating computer systems, our true passion is for educating people and the study of human social behavior.

To this end, we have created a Phishing Attack Framework which is a great way to navigate this site and learn more about how to utilize social engineering techniques for your next cyber campaign.

Enjoy!