The signs of phishing can be obvious — a mismatch between the sender’s address and that of their supposed company, logical inconsistencies, notifications that appear to come from online services — but spotting a fake isn’t always so easy. One way to make a fake look more convincing is to tamper with the visible field containing the e-mail address.
The technique is fairly uncommon in cases of mass phishing, but we see it quite a bit more in targeted messaging. If a message looks real, but you doubt the sender’s authenticity, try digging a little deeper and checking the Received header. This post describes how.
Reasons to doubt
Any strange request is a clear red flag. For example, an e-mail that asks you to do something outside your work role or perform any nonstandard action warrants a closer look, especially if it claims to be important (personal demand from the CEO!) or urgent (must be paid within two hours!). Those are standard phishing tricks. You should also be wary if you are asked to:
- Follow a link in the e-mail to an external website that requests your credentials or payment information;
- Download and open a file (particularly an executable file);
- Carry out actions related to monetary transfers or access to systems or services.
How to find e-mail headers
Unfortunately, the visible From field is easy to spoof. The Received header, however, should show the sender’s real domain. You can find this header in any mail client. Here, we’re using Microsoft Outlook as an example because of its widespread use in modern business. The process should not be radically different in another client, however; if you use one you can consult the help documentation or try to find the headers yourself.
In Microsoft Outlook:
- Open the message you want to check;
- On the File tab, select Properties;
- In the Properties window that opens, find the Received field in the Internet headers section.
Before reaching the recipient, an e-mail can pass through more than one intermediate node, so you may see several Received fields. You’re looking for the lowest one, which contains information about the original sender. It should look something like this:
How to check domain from the Received header
The easiest way to make use of the Received header is to use our Threat Intelligence Portal. Some of its features are free, meaning you can use them without registering.
To check the address, copy it, go to Kaspersky Threat Intelligence Portal, paste it into the search box on the Lookup tab, and click Look up. The portal will return all available information about the domain, its reputation, and WHOIS details. The output should look something like this:
The very first line will probably display a “Good” verdict or “Uncategorized” sign. That just means our systems haven’t previously seen this domain used for criminal purposes. When preparing a targeted attack, attackers can register a fresh domain or use a breached legitimate domain with a good reputation. Carefully check the organization to which the domain is registered to see if it matches the one that the sender supposedly represents. An employee of a partner company in Switzerland, for example, is unlikely to send an e-mail through an unknown domain registered in Malaysia.
Incidentally, it’s a good idea to use our portal to check links in the e-mail as well, if they seem dubious, and use the File Analysis tab to check any message attachments.
Kaspersky Threat Intelligence Portal has lots of other useful features, but most are available only to registered users. For more information about the service, see the About the Portal tab.
Protection against phishing and malicious e-mails
Although checking suspicious e-mails is a good idea, keeping phishing emails from even reaching end users is better. Therefore, we always recommend installing antiphishing solutions at the corporate mail server level.
Additionally, a solution with antiphishing protection running on workstations will block redirects through phishing links, in case the e-mail creators fool the recipient.