https://app.letsdefend.io/challenge/phishing-email

Your email address has been leaked and you receive an email from Paypal in German. Try to analyze the suspicious email.

---

Download the zipped folder provided and use the password to extract an email file.

Use the Sublime text editor with the Email header package to see the syntax clearly.

---

What is the return path of the email?

The return path identifies the address to which non-delivery receipts, also known as bounce messages, should be sent when an email is not delivered to its intended recipient.

Look out for the Return-Path value in the email to find the answer.

---

What is the domain name of the url in this mail?

Search in the body text to find a link <href=>

---

Is the domain mentioned in the previous question suspicious?

Head to Virustotal and input the domain.

The URL doesn’t seem suspicious, however in the community tab users feedbacked that it might be a potential phishing site.

However in analyzing the entire URL there is a randomized path generated.

When you input the full path in Virustotal it brings up as a malicious site.

---

What is the body SHA-256 of the domain?

Click on the Details tab and look for the SHA-256 hash.

---

Is this email a phishing email?

storage.googleapis.com is a legitimate domain however in VT comments, users identity this site as a potential phishing campaign. This could be known as Domain shadowing. Furthermore inputting the entire URL in VT indicates it is indeed a malicious link.