Last Updated: 2017-08-13 20:37:01 UTC
by Didier Stevens (Version: 1)
Readers submit all kinds of malware to the Internet Storm Center: executables, documents, emails, ...
This week I took a look at a phishing email submitted by a reader. Going through the headers, I spotted the following:
X-PHISHING-TEST: This is a phishing awareness test conducted by $COMPANY
I've seen similar headers before: they are used in emails designed to raise security awareness in a company. This email here simulates a phishing email, and these headers are added to flag the email as an awareness exercise, and they are also used to track individual emails.
Headers like these are a bit like the evil bit: there's nothing to guarantee their authenticity ;-). Before informing our reader, I did a whois on the domain name of the phishing URL found inside the email body: it was registered by the same company mentioned in the header, and this is indeed a company specialized in security training and awareness. I took special care not to access the URL, as this could put our reader on a list of people who fell for the phishing attempt.
Thus I informed our reader that it was indeed a phishing email, albeit of a special kind: it was a phishing awareness exercise. Later, he confirmed our findings.