Labs / Email Header Forensics
- Challenge
- Released 03 Oct 2025
📧 Can you uncover the truth hidden in email headers?
A suspicious email claiming to be from PayPal has landed in your inbox, but something doesn't add up! 🕵️ Email headers hold the digital fingerprints that phishers try to hide. Armed with forensic analysis skills, you'll trace the real origin of this message and discover evidence hidden in plain sight. 🔍 Time to put on your investigator hat and expose this phishing attempt!
1
Flags
1
Points
Start Lab Environment
~1-2 min setup
AWS dedicated
Private instance
Industry standard
Challenge
📧 Email Header Forensics - Complete Solution
Objective: Analyze email headers to detect phishing indicators and extract forensic evidence including the investigation case flag.
🔍 Step 1: Download and Open Email
Download the suspicious email file from the challenge page:
Opening the Email:
Open suspicious-email.eml in a text editor (not an email client)
or
Why text editor? Email clients may hide headers or execute malicious content. Text editors show the raw email structure safely.
Open suspicious-email.eml in a text editor (not an email client)
cat suspicious-email.emlor
less suspicious-email.emlWhy text editor? Email clients may hide headers or execute malicious content. Text editors show the raw email structure safely.
🔍 Step 2: Analyze Email Headers
Examine the email headers to identify suspicious indicators:
Key Headers to Examine:
From Header:
From: PayPal Security <security@paypal.com>
Claims to be from PayPal, but this can be easily spoofed!
Received Headers (read bottom-to-top):
Received: from suspicious-server.example.org (198.51.100.42)
The actual originating server is suspicious-server.example.org, NOT PayPal!
X-Originating-IP:
X-Originating-IP: 198.51.100.42
Real source IP address: 198.51.100.42 (not a PayPal IP)
X-Mailer:
X-Mailer: PhishKit v2.3
Reveals phishing toolkit being used!
X-Spam-Score:
X-Spam-Score: 8.5
High spam score indicates likely phishing
From Header:
From: PayPal Security <security@paypal.com>
Claims to be from PayPal, but this can be easily spoofed!
Received Headers (read bottom-to-top):
Received: from suspicious-server.example.org (198.51.100.42)
The actual originating server is suspicious-server.example.org, NOT PayPal!
X-Originating-IP:
X-Originating-IP: 198.51.100.42
Real source IP address: 198.51.100.42 (not a PayPal IP)
X-Mailer:
X-Mailer: PhishKit v2.3
Reveals phishing toolkit being used!
X-Spam-Score:
X-Spam-Score: 8.5
High spam score indicates likely phishing
🔍 Step 3: Identify Phishing Indicators
Recognize the red flags in this email:
Phishing Red Flags:
✗ Sender domain mismatch (claims PayPal, sent from suspicious-server.example.org)
✗ Suspicious X-Mailer header (PhishKit v2.3)
✗ High spam score (8.5)
✗ Urgent action required language
✗ Suspicious link to paypal-verify.suspicious-server.example.org
✗ Threats of account suspension
✗ Generic greeting (Dear Valued Customer)
✗ Tracking pixel in HTML (track.php?id=user12345)
✗ Sender domain mismatch (claims PayPal, sent from suspicious-server.example.org)
✗ Suspicious X-Mailer header (PhishKit v2.3)
✗ High spam score (8.5)
✗ Urgent action required language
✗ Suspicious link to paypal-verify.suspicious-server.example.org
✗ Threats of account suspension
✗ Generic greeting (Dear Valued Customer)
✗ Tracking pixel in HTML (track.php?id=user12345)
🔍 Step 4: Locate Forensic Evidence
Find the custom investigative headers containing evidence:
Investigation Headers:
Case investigation identifier
Base64-encoded evidence hash
Base64-encoded investigation case flag (this is what we need!)
X-Investigation-ID: INV-2024-10-03-471923Case investigation identifier
X-Evidence-Hash: YTJmNGU4ZDktZjNhYi00NzExLWI4ZTMtMWE5YzQyZDc2ZTk4Base64-encoded evidence hash
X-Case-Flag: MDk2OTExOWMtNTgyMC00M2M2LThjNjAtYjc3NjNjNTEwYmZlBase64-encoded investigation case flag (this is what we need!)
🔍 Step 5: Decode the Flag
Decode the Base64-encoded flag from the X-Case-Flag header:
Using Command Line:
Using Python:
Using Online Tool:
Visit https://www.base64decode.org/ and paste the encoded string
Using CyberChef:
https://gchq.github.io/CyberChef/ with From Base64 recipe
The decoded output is the investigation case flag.
echo 'MDk2OTExOWMtNTgyMC00M2M2LThjNjAtYjc3NjNjNTEwYmZl' | base64 -dUsing Python:
python3 -c "import base64; print(base64.b64decode('MDk2OTExOWMtNTgyMC00M2M2LThjNjAtYjc3NjNjNTEwYmZl').decode())"Using Online Tool:
Visit https://www.base64decode.org/ and paste the encoded string
Using CyberChef:
https://gchq.github.io/CyberChef/ with From Base64 recipe
The decoded output is the investigation case flag.
🔍 Step 6: Verify Additional Evidence
Optionally decode other evidence for learning:
Decode X-Evidence-Hash:
This reveals another UUID that could be used for evidence tracking in a real investigation.
echo 'YTJmNGU4ZDktZjNhYi00NzExLWI4ZTMtMWE5YzQyZDc2ZTk4' | base64 -dThis reveals another UUID that could be used for evidence tracking in a real investigation.
📚 Key Learning Points
- Email Header Structure: Understanding Received, From, Return-Path, and custom headers
- Spoofing Detection: From addresses can be forged - check Received headers and X-Originating-IP
- Header Analysis Order: Read Received headers from bottom to top to trace email route
- Phishing Indicators: Urgent language, suspicious domains, mismatched senders, tracking pixels
- Base64 Encoding: Common encoding method for email headers and MIME content
- X-Headers: Custom headers can contain forensic metadata and tracking information
- Email Forensics: Analyzing raw email files reveals hidden evidence invisible in email clients
Real-World Application: SOC analysts use these techniques daily to investigate phishing campaigns, identify threat actors, track malicious infrastructure, and gather evidence for incident response. Email header analysis is essential for understanding attack vectors and attribution.