Email Header Analysis Report

 Role: Security Operation Center (SOC) Analyst 



1. Incident Summary

A user reported an email claiming to confirm registration for a “2024 Tech Conference.” Although the email content appeared legitimate, it was flagged for investigation due to uncertainty about whether the user had registered for the event.

The Security Operations Center (SOC) conducted an email header analysis using MXToolbox and Sublime Text to determine the authenticity of the message.


2. Analysis Approach

The following triage steps were performed:

  • Extracted the full email header
  • Parsed the header using MXToolbox
  • Conducted manual inspection using Sublime Text
  • Reviewed SPF, DKIM, and DMARC authentication results
  • Analyzed the “Receivedheader to identify the origin
  • Evaluated consistency between sender domains and infrastructure


3. Technical Analysis

3.1 Originating Source

Sending Server: mail.conference2024.com
Originating IP Address: 203.0.113.300

Analysis:
The email claims to originate from mail.conference2024.com, which aligns with the sender domain.  The IP address provided (203.0.113.300) .


3.2 Authentication Results

  • SPF: ✅ Pass
  • DKIM: ✅ Pass
  • DMARC: ✅ Pass 

Analysis:
All authentication checks passed, indicating that:

  • The sending server is authorized (SPF)
  • The message integrity is intact (DKIM)
  • The domain aligns with DMARC policy

However, the DMARC policy is set to “none,” meaning enforcement is not strict. This reduces its effectiveness in preventing spoofing.


3.3 Header and Content Review

  • “From” address matches domain: conference2024.com
  • No mismatch between sender and return path observed
  • X-Mailer indicates a custom event system
  • Content is professional and free of typical phishing indicators

Notable Observation:

  • The email was unsolicited (user did not confirm registration)
  • No malicious links or attachments present

4. Indicators of Interest (Not Direct IOCs)

  • Invalid/suspicious IP format in header
  • Unverified event registration (unexpected email)
  • DMARC policy set to “none” (weak enforcement)

5. Conclusion

Verdict: Suspicious but Not Confirmed Malicious
Risk Level: Medium

The email passes all standard authentication checks (SPF, DKIM, DMARC), which suggests it may be legitimately sent from the domain. However,  lack of user context (unsolicited registration confirmation) raise concerns.

There is insufficient evidence to classify this email as phishing, but it cannot be fully trusted.

Comments

Post a Comment

Popular Posts