Cyber Investigations for Beginners | Hunting Indicators With EZgmail

Ryan Foote
4 min readDec 4, 2020

If you’re an aspiring CTI analyst like me, you need every opportunity to practice and prove your skills. One of my favorite ways to practice is with spam messages in my personal inbox. With malicious emails hiding in your spam folder, you can pull indicators to launch an investigation. Of course, not all investigations will yield anything interesting… but sometimes you luck out and can learn about the threat actors sending you the messages, phishing techniques / kits, or malicious infrastructure.

To pull indicators from my gmail inbox, I used the gmail API. Interacting with potentially malicious emails comes with a bit of a risk. Opening spam to see what’s inside can be risky. Messages can occasionally contain scripts to beacon back to the threat actor to let them know you opened the message, or other malicious scripts, images, and attachments. The gmail API lets us grab information from an email (even downloading attachments) without ever opening the email. To interact with the API, I used a python library called “EZGmail” by Al Sweigart and a Jupyter notebook. The Jupyter Notebook is helpful because it allows for standardized templates for investigations that can be shared across a team or multiple investigations. This portability means even people with beginner python skills can still utilize the notebook.

Over two separate blogs, I will investigate what looks like a spam campaign making false claims about keto to get me to click. I theorize that the spammer’s goal is to get me to sign up for a subscription trap for snake oil keto supplements. Let’s begin the investigation and find out!

Step .5) Define the investigation scope.

Before getting started with any investigation, the scope needs to be defined. This will keep the investigation focused, and once my objectives are met, I can re-evaluate and update my objectives accordingly. For the purpose of this article, I want to know more about the spam campaign targeting me (who are the spammers, what is their goal) and any important information about them that would allow me to add them to a block list.

Keto is great, but not THAT great…

Step 1) Set up the Jupyter notebook and install/import EZgmail. Run this cell and ensure you are logged in.

Step 2) Search for suspicious emails in your inbox.

The search string is where you can define parameters for the messages you’re looking to investigate. In this case, we know the “name” of the sender is “KetoFuel” and it is in my spam inbox.

Step 3) View the results.

We know we are dealing with two messages, but this output isn’t helpful.

Printing the search results returns just a snippet of each message. We need more than that. Using extremely simple python, we can pull out indicators one by one. For the sake of brevity, I’ll just grab the most relevant information to the investigation.

Step 4) Grab the sender’s information and the message body.

The sender’s email addresses. Note that they aren’t using a common email provider (hotmail, *.edu, etc.)
Both messages were the same, so I only included one to save space. Interesting that it’s in French….

The message body is interesting. It is asking to click a URL, which would typically lead to a malicious website. The weird thing is, this is a legitimate URL. The only information we can pull from it is a b64 encoded string which contains (at least part of an) email address.

Hmm, it seems odd that there doesn’t seem to be any expected malicious content. Perhaps we aren’t seeing the whole picture…

Step 4) Pull MIME content.

Multipurpose Internet Mail Extensions (MIME) content allows emails to contain a ton of dynamic content, and can let them function almost like web pages. Let’s try extracting some and see what happens. To extract this, I will adapt part of a spam grabbing script I wrote for a research project.

It returns the content of the message in a b64 encoded string. Putting the string into CyberChef gives the following output:

ah ha! More interesting content!

We can now see the entirety of the email content, including the MIME content and headers! We see something that makes a lot more sense: hyperlinks to the sketchy keto site. Upon downloading it and taking a closer look, it looks as though the Pinterest content from earlier is meant to be an “alternate” body. But not one a victim would see if they opened it up earlier. Cyberchef can further help us by pulling out URLs and email addresses.

Non- Pinterest URLs

With our indicators ready, we are finally ready to get into the investigation.

--

--

Ryan Foote

@IntelCorgi | Cybers threat intelligence analyst and independent researcher with an interest in malware and OSINT. Opinions are NOT that of employer.