In today’s times, each of us receives hundreds of malicious emails. This applies to both companies and private users. In the era of AI, a significant number of them do not arouse suspicion at first, which can lead to a higher percentage of clicks or logging into malicious websites. So, how can you verify whether the email you received is malicious, aside from its content?
One of the simplest steps is to verify the domain address from which the email was sent. This can be checked without any tools, as if the sender claims to be, for example, DHL, we expect the address to belong to the DHL.PL or DHL.COM domain. If the sender claims to be InPost, it is obvious that the sender’s address will also come from the InPost.pl domain.
Some domains are immediately noticeable as inconsistent with the email content. Phishing emails are sometimes sent from compromised accounts, and in such cases, we may see an address with a wp.pl or gmail.com domain. This should raise a red flag that the email is malicious, and clicking on any links or logging in should be avoided. After all, what company sends payment confirmations or payment links from an account on wp.pl, for example? In such cases, it’s best to delete and forget about such an email.
When a domain contains a string of random characters, we can confidently say that it is phishing. A common trick used by attackers involves intentional typos in domain names. An example is the case with the Polish Post. The correct domain name for the Polish Post is poczta-polska.pl, but there have been cases where emails were sent from an address with a domain name like poczta–polska.pw. Of course, we cannot remember all the URL addresses that exist, even just in Poland, let alone worldwide – it’s impossible.
That’s why services have been created to allow us to check such URLs or website addresses for threats. This way, we can easily assess whether the address from which we received an email is malicious or not.
Of course, these are only automated scripts, which also make mistakes and are not always able to check everything. For example, when a domain is new, they may not have enough information to correctly verify whether it is malicious or not. Therefore, we always have to treat these tools as an additional verification step and cannot trust them 100%.
One of such tools is VirusTotal, which can be found at virustotal.com. It is a tool that allows us to check both URLs and files. However, it’s important to note that files we submit should not contain sensitive data, as premium account users can view and read their contents. Below, I’ll use an example containing the address from which I received a malicious email and another example with a domain that was not used for sending emails but contained malicious software.
Example with a domain: idcyfqfwda.ru. Here, you can see that one of the vendors reports this address as SPAM. This can be a valuable clue for us.
Example with gilimp.org – this domain, at some point, appeared in Google as a sponsored advertisement and closely resembled the gimp.org website. The key difference was that the installer from gilimp.org, in addition to the graphic program, contained malicious code.
The second website is the service of the Norton company, one of the antivirus software manufacturers. It can be found at safeweb.norton.com.
The operation principle is very similar. You enter the link of the domain from which the email address comes, and then click on “Check.” The result is an assessment added by Norton through this tool, which includes a classification of whether the site is safe or not safe.
Below, I provide examples of the same websites scanned with the safeweb tool.
Remember that when you have any doubts, do not click hastily, and do not fall for urgency from the attacker. ALWAYS verify the sender’s address.
I will soon prepare a post describing how to check whether a message is malicious or not, in addition to verifying the sender’s addresses.