Analysis of the email code

Get headers

To obtain the following information, you must open the file via a text editor such as notepad++, notepad or VS Code.

In some cases (for example with Office365), its information is to be obtained by opening the email then going to File > Property then copying the “internet headers” part into a text editor.

Transmitter control

Common name	Header name	Value
Display Name	From	Medium Daily Digest
Sending email address	From	noreply[@]medium.com
Is the domain used that of a partner?	N/A	No
Reply to	Reply to (if not existing then same as sender)	noreply[@]medium.com
Subject	Subject	I Went to Sleep at 4 A.M. for a Month
Issue Date	Date	Wed, 12 Jan 2022 06:50:00 +0000 (UTC)
Sending IP		149.72.177.63
DNS-Reverse of the sending IP	Make a Resolve-DNSName	o26.email.medium.com
Content Summary	N/A	Make here a summary of the mail (appearance similar to a third party service, quality of language, request, etc.

Attachements control and obfuscated code

Common name	Header name	Value
Presence of PJ	Yes / No	If yes, name and fingerprint sha256
Content of the PJ		Description of the content of the PJ
Content encoded?		If yes, coded version and decode. If the code is large, include a quick description

To get the hash on Windows: Get-FileHash -Algorithm SHA256 FICHER

Control of the receipt of the mail

Common name	Header name	Value
SPF analysis		Pass/Fail
DKIM Analysis		Pass/Fail
DMARC scan		Pass/Fail and configured policy

Un descriptif sur l'intêret de chacune de ces normes est disponible à la fin.

Hyperlink control

Common name	Header name	Value	Domain
Presence of URL	https	hxxps://URL.TLD/Page	Domain.TLD

Be sure to replace "http" with hxxp so that the link is not clickable.

Whois analysis can also identify malicious sites (a site created two days before receiving a malicious email is one more clue)

Conclusion

At this point, we have enough information to define whether the email is malicious or not.