Readers submit all kinds of malware to the Internet Storm Center: executables, documents, emails, ...

This week I took a look at a phishing email submitted by a reader. Going through the headers, I spotted the following:

X-PHISHING-TEST: This is a phishing awareness test conducted by $COMPANY
X-PHISHING-ID: 123456

I've seen similar headers before: they are used in emails designed to raise security awareness in a company. This email here simulates a phishing email, and these headers are added to flag the email as an awareness exercise, and they are also used to track individual emails.

Headers like these are a bit like the evil bit: there's nothing to guarantee their authenticity ;-). Before informing our reader, I did a whois on the domain name of the phishing URL found inside the email body: it was registered by the same company mentioned in the header, and this is indeed a company specialized in security training and awareness. I took special care not to access the URL, as this could put our reader on a list of people who fell for the phishing attempt.

Thus I informed our reader that it was indeed a phishing email, albeit of a special kind: it was a phishing awareness exercise. Later, he confirmed our findings.

Didier Stevens
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com