Trace the Phish: Pivoting from Email to DNS to Server IP
The challenge
A user reported this phishing email. Open the sources and correlate them: the email links to a domain, the domain has a DNS record, and a leaked config mentions the same host. Find the address the phishing site actually runs on and submit that IP.
What you'll learn
- Pivot across independent sources (email, WHOIS, DNS, paste) to build a picture
- Read a phishing email's headers and link for the attacker's domain
- Resolve a hostname to its A record and recognise it as the real infrastructure
- Spot a freshly registered look-alike domain as a phishing indicator
Skills tested
Prerequisites
- Basic understanding of email, domains, and DNS records
- Awareness of phishing
How it works
Investigating a phishing report is an exercise in pivoting: no single artifact tells the whole story, so you connect independent sources until they point at the same thing. You start with what the victim received and follow it outward to the attacker's infrastructure.
The email is the entry point. Its display name impersonates IT, but the real signal is the link domain, acme-verify.co - a look-alike of the legitimate brand. The WHOIS corroborates the threat: the domain was registered only days ago and hides behind privacy, both hallmarks of a throwaway phishing domain. The decisive pivot is DNS: resolving the phishing hostname secure-login.acme-verify.co gives an A record, and that IP - 203.0.113.66 - is the actual machine serving the fake login page. The leaked kit config is independent confirmation: it lists the attacker's admin panel on the same IP.
The OSINT board presents each source as a card you open and read. The intel you want is not on any one card by itself; it emerges when the email's domain, the DNS A record, and the paste all line up on one address. That address is what a defender blocks at the firewall and reports to a takedown service.
Common mistakes
- Submitting the domain instead of the IP. The question asks where the site runs - resolve the hostname to its A record.
- Trusting the From display name. 'IT Support' is spoofable; the link domain is the evidence.
- Reading one source in isolation. The answer comes from connecting the email's host, the DNS record, and the paste.
- Ignoring the registration date. A domain created days ago is a strong phishing indicator worth noting.
How to defend against it
Defensively, the recovered IP and domain feed directly into response: block them, hunt for other users who clicked, and submit a takedown. The freshly registered look-alike is the kind of indicator that newly-registered-domain detections and brand-monitoring catch early.
- Block the malicious domain and IP at the mail gateway and firewall, and hunt logs for prior contact.
- Monitor for newly registered look-alike domains of your brand.
- Report phishing infrastructure to the hosting provider and a takedown service.