Phishing Analysis 2 — Blue Team Labs Online

Scenario — Put your phishing analysis skills to the test by triaging and collecting information about a recent phishing campaign.

Tools used;

• Text Editor.
• Thunderbird — can be used in either linux or windows OS.

Q. What is the sending email address?

A. amazon@zyevantoby.cn

Q. What is the recipient email address?

A. saintington73@outlook.com

Q. What is the subject line of the email?

A. Your Account has been locked

Q. What company is the attacker trying to imitate?

A. Amazon

Q. What is the date and time the email was sent?

• Open the file using a text editor

A. Wed, 14 Jul 2021 01:40:32 +0900

Q. What is the URL of the main call-to-action button?

A. https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Famaozn.zzyuchengzhika.cn%2F%3Fmailtoken%3Dsaintington73%40outlook.com&data=04%7C01%7C%7C70072381ba6e49d1d12d08d94632811e%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637618004988892053%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=oPvTW08ASiViZTLfMECsvwDvguT6ODYKPQZNK3203m0%3D&reserved=0

Q. Look at the URL using URL2PNG. What is the first sentence (heading) displayed on this site? (regardless of whether you think the site is malicious or not

A. The page you are trying to access cannot be loaded

Q. When looking at the main body content in a text editor, what encoding scheme is being used?

A. Base 64

Q. What is the URL used to retrieve the company’s logo in the email?

A. https://images.squarespace-cdn.com/content/52e2b6d3e4b06446e8bf13ed/1500584238342-OX2L298XVSKF8AO6I3SV/amazon-logo?format=750w&content-type=image%2Fpng

Q. For some unknown reason one of the URLs contains a Facebook profile URL. What is the username (not necessarily the display name) of this account, based on the URL?

A. amir.boyka.7