Skip to main content

Suspicious Email Artifacts (Email / Web / File)

Goal

Collect the key artifacts from a suspicious email (without clicking links or opening attachments) so you can report, block, or escalate with evidence.

Quick Workflow

  1. In the mail client: note From, Subject, Date, attachment name, and copy the real URL (not just the link text).
  2. Save/export the message as .eml and open it in a text editor.
  3. In the .eml: capture From:, To:, Subject:, Date:.
  4. Find sender IP (X-Sender-IP or Received:) → do reverse DNS / WHOIS.
  5. Search for http / https → record full URL + domain.
  6. Save attachment (don’t open) → record file size + hashes (SHA256, optional MD5/SHA1).

Key Commands

TaskWindows CommandLinux EquivalentWhat to Look For
Reverse DNS (PTR) for sender IPnslookup 40.92.90.99dig -x 40.92.90.99 +short or host 40.92.90.99Hostname/owner clue (e.g., ends in outlook.com)
WHOIS IP ownershipUse a web WHOIS tool (DomainTools/ARIN/RIPE)whois 40.92.90.99Org name / ASN / netblock
SHA256 hash of attachmentGet-FileHash .\terms.pdfsha256sum terms.pdfSHA256 to search/block/report
MD5 hash (optional)Get-FileHash .\terms.pdf -Algorithm MD5md5sum terms.pdfLegacy hash (sometimes requested)
SHA1 hash (optional)Get-FileHash .\terms.pdf -Algorithm SHA1sha1sum terms.pdfLegacy hash (sometimes requested)
Alt hashing (if PS blocked)certutil -hashfile .\terms.pdf SHA256sha256sum terms.pdfSame SHA256 goal

Quick Examples

# Hash the attachment (DO NOT open it)
Get-FileHash .\terms.pdf
Get-FileHash .\terms.pdf -Algorithm MD5; Get-FileHash .\terms.pdf -Algorithm SHA1
# Reverse DNS for sender IP
nslookup 40.92.90.99
# Linux equivalents
sha256sum terms.pdf
dig -x 40.92.90.99 +short

What to Check

  • Email red flags: generic greeting (“tax payer”), weird currency formatting, dodgy footer, poor styling.
  • In .eml headers: From:, To:, Subject:, Date:, X-Sender-IP: (or sender IP in Received:).
  • URLs: full https://... link (domain + path).
  • Attachment: file name + file size + hashes (SHA256 first).

What to Do Next

  • If URL/domain looks suspicious: report/escalate and block it (email/web filtering) + search for similar emails.
  • If attachment hashes are suspicious/unknown: escalate hashes (and file via approved process) and hunt in EDR for that hash.
  • If sender IP maps to a major provider (e.g., Outlook): treat it as “sent via that provider,” not “safe”—still escalate with URL + hashes.