PhishNet¶
In this sherlock you get a single file. email.eml. It is my task to examine the file and answer the questions.
You can solve all but the last 3 questions on this one with less email.eml and then reading the output carefully.
Answers
What is the originating IP address of the sender?
45.67.89.10
Which mail server relayed this email before reaching the victim?
203.0.113.25
What is the sender's email address?
finance@business-finance.com
What is the 'Reply-To' email address specified in the email?
support@business-finance.com
What is the SPF (Sender Policy Framework) result for this email?
pass
What is the domain used in the phishing URL inside the email?
secure.business-finance.com
What is the fake company name used in the email?
Business Finance Ltd.
What is the name of the attachment included in the email?
Invoice_2025_Payment.zip
What is the SHA-256 hash of the attachment?
8379C41239E9AF845B2AB6C27A7509AE8804D7D73E455C800A551B22BA25BB4A
What is the filename of the malicious file contained within the ZIP attachment?
invoice_document.pdf.bat
Which MITRE ATT&CK techniques are associated with this attack?
T1566.001
Λ ~/hackthebox cat -n email.eml
1 Return-Path: <finance@business-finance.com>
2 Reply-To: <support@business-finance.com>
3 X-Mailer: Microsoft Outlook 16.0
4 X-Originating-IP: [45.67.89.10]
5 X-Priority: 1 (Highest)
6 X-MSMail-Priority: High
7 Received-SPF: Pass (protection.outlook.com: domain of business-finance.com designates 45.67.89.10 as permitted sender)
8 ARC-Seal: i=1; a=rsa-sha256; d=business-finance.com; s=arc-2025; t=1677416100; cv=pass;
9 ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=business-finance.com; s=arc-2025;
10 X-AntiSpam: Passed
11 X-Organization: Business Finance Ltd.
12 X-Envelope-From: finance@business-finance.com
13 List-Unsubscribe: <mailto:unsubscribe@business-finance.com>
14 X-Sender-IP: 45.67.89.10
15 Received: from mail.business-finance.com ([203.0.113.25])
16 by mail.target.com (Postfix) with ESMTP id ABC123;
17 Mon, 26 Feb 2025 10:15:00 +0000 (UTC)
18 Received: from relay.business-finance.com ([198.51.100.45])
19 by mail.business-finance.com with ESMTP id DEF456;
20 Mon, 26 Feb 2025 10:10:00 +0000 (UTC)
21 Received: from finance@business-finance.com ([198.51.100.75])
22 by relay.business-finance.com with ESMTP id GHI789;
23 Mon, 26 Feb 2025 10:05:00 +0000 (UTC)
24 Authentication-Results: spf=pass (domain business-finance.com designates 45.67.89.10 as permitted sender)
25 smtp.mailfrom=business-finance.com;
26 dkim=pass header.d=business-finance.com;
27 dmarc=pass action=none header.from=business-finance.com;
28 Message-ID: <20250226101500.ABC123@business-finance.com>
29 Date: Mon, 26 Feb 2025 10:15:00 +0000 (UTC)
30 From: "Finance Dept" <finance@business-finance.com>
31 To: "Accounting Dept" <accounts@globalaccounting.com>
32 Subject: Urgent: Invoice Payment Required - Overdue Notice
33 MIME-Version: 1.0
34 Content-Type: multipart/mixed; boundary="boundary123"
35
36 --boundary123
37 Content-Type: text/html; charset="UTF-8"
38 Content-Transfer-Encoding: quoted-printable
39
40 <html>
41 <head>
42 <title>Invoice Overdue</title>
43 </head>
44 <body>
45 <p>Dear Accounting Team,</p>
46 <p>This is a final notice regarding the outstanding invoice #INV-2025-0012. Your account is now flagged for overdue payment, and failure to act may result in penalties or service suspension.</p>
47 <p>Details of the invoice:</p>
48 <ul>
49 <li><b>Invoice Number:</b> INV-2025-0012</li>
50 <li><b>Amount Due:</b> $4,750.00</li>
51 <li><b>Due Date:</b> February 28, 2025</li>
52 </ul>
53 <p>Our records indicate that invoice #INV-2025-0012 is overdue for payment. Please process the payment immediately to avoid late fees.</p>
54 <p>For your convenience, you can download the full invoice and payment instructions from the link below:</p>
55 <p><a href="https://secure.business-finance.com/invoice/details/view/INV2025-0987/payment">Download Invoice</a></p>
56 <p>Alternatively, the invoice is also attached as a .zip file.</p>
57 <p>If you have already made the payment, kindly ignore this notice.</p>
58 <p>Best regards,<br>Finance Department<br>Business Finance Ltd.</p>
59 </body><p>For assistance, please contact our support team at <a href='mailto:support@business-finance.com'>support@business-finance.com</a> or call our helpline at +1-800-555-0199.</p>
60 <p>Thank you for your prompt attention to this matter.</p>
61
62 </html>
63
64 --boundary123
65 Content-Type: application/zip; name="Invoice_2025_Payment.zip"
66 Content-Disposition: attachment; filename="Invoice_2025_Payment.zip"
67 Content-Transfer-Encoding: base64
68
69 UEsDBBQAAAAIABh/WloXPY4qcxITALvMGQAYAAAAaW52b2ljZV9kb2N1bWVudC5wZGYuYmF0zL3ZzuzIsR18LQN+h62DPujWX0e7
70
71 --boundary123--
The originating IP address of the sender can be found on line 4; X-Originating-IP: [45.67.89.10].
Λ ~/hackthebox grep -i origin email.eml 1 ↵
X-Originating-IP: [45.67.89.10]
Here, I used an IP regex to list all of the IP's mentioned in the .eml file and then I ran a grep for each of those IP's to see what information they are associated with.
Λ ~/hackthebox grep -i origin email.eml 1 ↵
X-Originating-IP: [45.67.89.10]
Λ ~/hackthebox grep -i server email.eml
Λ ~/hackthebox grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' email.eml 1 ↵
45.67.89.10
45.67.89.10
45.67.89.10
203.0.113.25
198.51.100.45
198.51.100.75
45.67.89.10
Λ ~/hackthebox grep "203.0.113.25" email.eml
Received: from mail.business-finance.com ([203.0.113.25])
Λ ~/hackthebox grep "45.67.89.10" email.eml
X-Originating-IP: [45.67.89.10]
Received-SPF: Pass (protection.outlook.com: domain of business-finance.com designates 45.67.89.10 as permitted sender)
X-Sender-IP: 45.67.89.10
Authentication-Results: spf=pass (domain business-finance.com designates 45.67.89.10 as permitted sender)
Λ ~/hackthebox grep "198.51.100.75" email.eml
Received: from finance@business-finance.com ([198.51.100.75])
Λ ~/hackthebox grep "198.51.100.45 " email.eml
Λ ~/hackthebox grep "198.51.100.45" email.eml 1 ↵
Received: from relay.business-finance.com ([198.51.100.45])
Λ ~/hackthebox
Here I extract the attachment from the .eml file and attempt to unzip it.
Λ ~/hackthebox ripmime -i email.eml -d ./out
Λ ~/hackthebox ls
brutus email.eml out
Λ ~/hackthebox ls out
Invoice_2025_Payment.zip textfile0 textfile1
Using 7z with l instead of x we can see that the malicious file was a batch file disguised as a pdf inside of the zip.
Λ ~/hackthebox 7z l out/Invoice_2025_Payment.zip
7-Zip 25.01 (x64) : Copyright (c) 1999-2025 Igor Pavlov : 2025-08-03
64-bit locale=en_GB.UTF-8 Threads:20 OPEN_MAX:1024, ASM
Scanning the drive for archives:
1 file, 75 bytes (1 KiB)
Listing archive: out/Invoice_2025_Payment.zip
--
Path = out/Invoice_2025_Payment.zip
Type = zip
ERRORS:
Unexpected end of archive
Physical Size = 75
Characteristics = Local
Date Time Attr Size Compressed Name
------------------- ----- ------------ ------------ ------------------------
2025-02-26 15:56:48 ..... 1690811 1249907 invoice_document.pdf.bat
------------------- ----- ------------ ------------ ------------------------
2025-02-26 15:56:48 1690811 1249907 1 files
Errors: 1
Getting the sha256sum was trivial:
Λ ~/hackthebox sha256sum out/Invoice_2025_Payment.zip
8379c41239e9af845b2ab6c27a7509ae8804d7d73e455c800a551b22ba25bb4a out/Invoice_2025_Payment.zip
and for the last question, we go to attack.mitre.org, into Phishing, subtechniques, "Spearphishing Attachment", which is T1566.001.