Phase 3: Verify Sender Authenticity

This phase focuses on confirming the legitimacy of the sender by analyzing the metadata, authentication protocols, and behavioral patterns associated with the message. Attackers often spoof email addresses, impersonate trusted contacts, or use lookalike domains to trick users.

By verifying sender authenticity, you can identify:

• Spoofed identities

• Compromised accounts

• Forged or manipulated headers

• Misconfigured, or weak security controls and measures, e.g., failed email filters

• IOCs that need to be blocked - IPs, Domains, and files extensions.

The following are a few methods that can be used to verify sender authenticity:

1. Compare Display Name vs Email Address, Phone Number, or Social Media Account Name

   • Attackers often use a legitimate-sounding display name (e.g., "Microsoft Security Team") but pair it with a malicious or spoofed email address, phone number, or social media account.

   • For example:

     • Mismatched domains - Display Name: PayPal Support  but email address support@paypalsecurity[.]com

     • Free email services used for official roles - CEO company_ceo@gmail[.]com

     • Misspellings or character swaps - micr0soft[.]com, serv1ce-now[.]com

   • Always expand the sender details in the messaging client app (or view source/headers if possible) to see the real email address.

2. Analyze Email Headers 

   • The full (raw) email headers will provide valuable information of the actual sender and indicators of compromise.

   • Header fields to review:

     • From - Claimed sender’s address (easily spoofed)

     • Reply-To - Where replies are directed (often malicious)

     • Return-Path - Where bounced messages go; should match the sender domain

     • Message-ID - Often includes the originating domain/IP address

     • Received - Shows the path the email took; can reveal spoofed routes

     • X-Originating-IP / X-Sender-IP - Can help track the sending IP address

   • Compare the Return-Path, From, and Reply-To addresses—if they differ, this is a red flag.

3. Check Email Authentication Protocols

   • Modern email systems use authentication protocols, such as SPF, DKIM, and DMARC, to verify whether an authorized server sent the message.

   • Use tools like MXToolbox and Google Admin Toolbox - Messageheader to review email headers.

   • Be sure to review email gateway logs as well.

4. Validate Domain Legitimacy

   • Attackers use typosquatting or lookalike (homograph) domains to impersonate trusted sources.

   • Details to pay attention to:

     • Look for small variations (e.g., amaz0n[.]com, micros0ft[.]org)

     • Use WHOIS to check:

       • Domain age (new domains = suspicious)

       • Registrar (known/unknown)

       • Contact email and registration info

     • Use passive DNS tools (e.g., PassiveTotal, SecurityTrails) to check domain history

   • Most legitimate companies have domains that are years old and well-established.

5. Review the Sending IP Address

   • From headers Extract Received: chain or X-Originating-IP and perform reputation checks using AbuseIPDB, Cisco Talos Intelligence, IPVoid, and Geolocate the IP (verify it is from the same region the sender claims).

   • Expected geolocation/IP range = Lower risk

   • Suspicious hosting provider or mismatched country = Investigate

6. Behavioral Clues from Known Contacts

   • Even if the sender's address is legitimate, the account could be compromised; thus, analysts (and users) need to look for the following behavioral indicators of compromise:

     • Unusual language or tone (“Hi, urgent help please…”)

     • Irregular timing (sent at 3 AM on a Sunday)

     • Unexpected attachments or requests

     • New or strange signature formats

     • Emails lacking context or referencing vague topics

   • If the message “feels off,” compare to past communications from the same person.