Investigating a suspicious email
Trace sender fingerprints, pivot on domains, and validate infrastructure trust signals.
Email investigation is one of the most common OSINT tasks for security professionals. Whether you're dealing with potential phishing, tracking down a threat actor, or verifying the legitimacy of a sender, understanding email headers and infrastructure is crucial.
This tutorial will guide you through analyzing email headers, checking sender reputation, investigating domains and IP addresses, and validating URLs and attachments.
By the end, you'll be able to quickly assess whether an email is legitimate or malicious, and trace its origins back through the internet infrastructure.
MXToolbox
Analyze email headers, check DNS records, and validate mail server configurations
Find in directory →URLScan.io
Scan and analyze suspicious URLs for malicious content and redirects
Find in directory →VirusTotal
Check files, URLs, and domains against multiple antivirus engines
Find in directory →Whois Lookup
Investigate domain registration information and ownership history
Find in directory →IPVoid
Check IP address reputation and detect malicious infrastructure
Find in directory →- 1
Extract and examine the full email headers (Return-Path, Received, From, Reply-To)
- 2
Identify the originating IP address and trace the email's path through mail servers
- 3
Check the sender's domain reputation using MXToolbox and similar services
- 4
Analyze any URLs in the email using URLScan.io to detect redirects and malicious content
- 5
If attachments are present, check file hashes against VirusTotal
- 6
Investigate the domain registration details using WHOIS lookup
- 7
Cross-reference IP addresses and domains with threat intelligence databases
- 8
Document your findings and create a timeline of the email's journey
Always examine the 'Received' headers from bottom to top - they show the email's journey
Look for mismatches between the 'From' display name and the actual email address
Check if the 'Reply-To' address differs from the 'From' address - often a red flag
Use multiple URL scanners - some threats are only detected by specific services
Pay attention to timestamp inconsistencies in email headers
Compare SPF, DKIM, and DMARC authentication results
Check for unusual character encoding or obfuscation in URLs
Use a sandbox environment when dealing with potentially malicious attachments
Share your own tips or learn from the community's experience
Share Your Tip
I've found that combining multiple reverse image search engines in parallel significantly improves results. Don't rely on just one!
Always document your methodology step-by-step. This helps with reproducibility and explaining your findings to others.