Trace the Phish: Pivoting from Email to DNS to Server IP

OSINT Nível 2/5 ~3 min 2026-07-02

O desafio

Um usuário reportou este e-mail de phishing. Abra as fontes e correlacione-as: o e-mail aponta para um domínio, o domínio tem um registro DNS, e uma config vazada menciona o mesmo host. Encontre o endereço onde o site de phishing realmente roda e envie esse IP.

O que você vai aprender

  • Pivot across independent sources (email, WHOIS, DNS, paste) to build a picture
  • Read a phishing email's headers and link for the attacker's domain
  • Resolve a hostname to its A record and recognise it as the real infrastructure
  • Spot a freshly registered look-alike domain as a phishing indicator

Habilidades testadas

OSINT pivotingDNS and WHOIS readingPhishing triage

Pré-requisitos

  • Basic understanding of email, domains, and DNS records
  • Awareness of phishing

Como funciona

Investigating a phishing report is an exercise in pivoting: no single artifact tells the whole story, so you connect independent sources until they point at the same thing. You start with what the victim received and follow it outward to the attacker's infrastructure.

The email is the entry point. Its display name impersonates IT, but the real signal is the link domain, acme-verify.co - a look-alike of the legitimate brand. The WHOIS corroborates the threat: the domain was registered only days ago and hides behind privacy, both hallmarks of a throwaway phishing domain. The decisive pivot is DNS: resolving the phishing hostname secure-login.acme-verify.co gives an A record, and that IP - 203.0.113.66 - is the actual machine serving the fake login page. The leaked kit config is independent confirmation: it lists the attacker's admin panel on the same IP.

The OSINT board presents each source as a card you open and read. The intel you want is not on any one card by itself; it emerges when the email's domain, the DNS A record, and the paste all line up on one address. That address is what a defender blocks at the firewall and reports to a takedown service.

Erros comuns

  • Submitting the domain instead of the IP. The question asks where the site runs - resolve the hostname to its A record.
  • Trusting the From display name. 'IT Support' is spoofable; the link domain is the evidence.
  • Reading one source in isolation. The answer comes from connecting the email's host, the DNS record, and the paste.
  • Ignoring the registration date. A domain created days ago is a strong phishing indicator worth noting.

Como se proteger

Defensively, the recovered IP and domain feed directly into response: block them, hunt for other users who clicked, and submit a takedown. The freshly registered look-alike is the kind of indicator that newly-registered-domain detections and brand-monitoring catch early.

  • Block the malicious domain and IP at the mail gateway and firewall, and hunt logs for prior contact.
  • Monitor for newly registered look-alike domains of your brand.
  • Report phishing infrastructure to the hosting provider and a takedown service.

Solução completa

Membros Pro e Max desbloqueiam o passo a passo completo.

Assinar Pro

Estatísticas da comunidade

69 resoluções
90% taxa de sucesso
M2F14M3 Primeiro sangue
15.000+ Hackers 100+ Labs & Cursos Grátis
Comece Grátis