How do you as the "in house expert" determine if an email is Phish or real?

(Paul Prunty) #1

I had a user forward me an email he had received from Tech Data. This email was indistinguishable from a KnowBe4 simulated phish!

Below is the meat of the message:
(there were some embedded images above this that aren’t important here that showed some spoof messages)

Sure, everything looks on the up and up - it’s good advice in the text… but the links!

The only reason I knew it wasn’t a KnowBe4 simulation was because I just finished my preliminary baseline campaign and this user had already forwarded me the KnowBe4 simulated threat!

There was only one link in the whole email that didn’t go to, that was the one to open it in a web browser. To save you the trouble, that domain belongs to, which is a marketing company apparently.

So I ask - ye who have already deployed this and have users forwarding you emails they suspect to be Phish… what do you use to determine if it’s real or not?

(Paul Prunty) #2

And here is the other email that was tying my up in knots.
What do you think - is this real or Malware?:

I’ve redacted the names and email addresses - except for the last name of the person who sent it which raised the hair on the back of our necks.

So based on what you see here - how do you go about determining if this is a phish or real? Do you go anywhere near that PDF file?

(This was also a real email BTW, and “Stalker” is the person’s real last name and that is their personal Gmail account… The PDF is a one page generic invoice)


I view the header of the email.

They have to send the email as an attachment to you so you can view the original.

Does this help?

(Paul Prunty) #4

Not really.

During this same time frame, I got this email… but I couldn’t see anything wrong with it in the header.
Is there a tool you use that helps you understand/decode the header? I’m using an old MS link - I think the header reader is the only part of the site that still works.
This is what the email looked like - Obvious phish:

(Paul Prunty) #5

Can you find where in this header I can see that this is a phish? Everything here makes it look like it came from Quest.

This is the tool I used to examine the header:

Just looking at the header info, the only think I can see that fails is the SPF:
“domain of used an invalid SPF mechanism”

Here is the header info 1/5

(Paul Prunty) #6


(Paul Prunty) #7


(Paul Prunty) #8


(Paul Prunty) #9



Wow. I can see why you are stressed out.

I was just referring to the File - Properties - Internet Headers.

The site you are using is giving you a lot of information but I don’t know think that is what it is meant for. Did someone suggest that site to you?

We just fall back on the usual rules:

  1. Are you expecting it?
  2. Is it out of character for that person to ask for or send this?
  3. Call the person directly, not the phone number in the email.
  4. Do not click on links in an email but go to the website itself. For example, Bank website or Credit Card website.

You probably already know all of these but it is always better to err on the side of being safe and delete it if unsure.

Sorry I could not be of more help.

(Paul Prunty) #11

Hey, I really appreciate you taking the time to answer!

I’m a little frustrated with our state of defense right now. KnowBe4 is teaching our users to “Look at the links - do they go where they should?” But now the legitimate emails - even customer service ones like the ones above I posted - go through marketing companies that change all the links to something very different and possibly suspicious.

How are my users supposed to know that “Http://” is really the website that Tech Data’s email marketing firm uses? What is to prevent a savvy hacker from getting the mkt0-k0087 domain? How do I know that EITHER of these pathways are good OR bad.

That is my struggle. I want my users to be educated, I want them to be able to accurately know if an email is coming from a company or a hacker… just like KnowBe4 promises to teach!

My boss is the Keeper of Old Tools, and she gave me this link. I don’t think anything works here except for the header analyzer tool:
Click on the tab on the bottom labeled “Message Analyzer”