One Phishing Header, a Dozen OSINT Pivots
A single `Received` header is more than a log entry; it's the first thread to pull that can unravel an entire threat actor's infrastructure.
You’re staring at a wall of text. Buried ten layers deep in an email’s source is a single, unassuming line: a `Received` header from an IP you don’t recognize. Most people see a routing artifact. A seasoned analyst sees a breadcrumb. This isn't just about confirming a single email is malicious; it’s about mapping the entire campaign behind it.
This is where the real work begins. We move beyond simply blocking one sender or one domain. We start hunting the operator. By treating that single header as the starting point for a chain of open-source intelligence (OSINT) pivots, we can transform one reactive alert into a proactive intelligence win, identifying infrastructure the attacker hasn't even used yet.
Forget the idea that email headers are just for deliverability geeks arguing about RFC 7208. For us, they are the crime scene. And we're about to dust for prints.
The First Hop: IP, ASN, and Geopolitics
Every investigation starts somewhere. With email, your most reliable starting point is the network path. Ignore the `From` address for a moment—it’s trivial to spoof. Instead, find the first `Received` header added by a server outside your control. This header contains the connecting IP address, the true origin of the email’s journey towards your mail exchanger.
Received: from mail.some-shady-vps.com (HELO mail.some-shady-vps.com) ([198.51.100.55]) by mta-inbound.customer.com with ESMTP; 24 Oct 2023 15:02:10 +0000
That IP address, `198.51.100.55`, is your first pivot. A quick `whois` lookup is step one, but don't stop there. What you really want is the Autonomous System Number (ASN). The ASN tells you who owns that block of IP space. It's the difference between seeing a single address and seeing the entire digital neighborhood it lives in.
From IP to Neighborhood Profile
Is the ASN a major cloud provider like AWS, Google Cloud, or DigitalOcean? That suggests a low-sophistication actor spinning up a cheap virtual private server (VPS). Is it a residential ISP in Eastern Europe? You might be looking at a compromised home router or a node in a botnet. Is it a 'bulletproof' hosting provider known for ignoring abuse complaints? Now you're dealing with a more professional operation. The ASN provides immediate context about your adversary's capabilities and operational security.
This context is operationally critical. An IP on a large, shared cloud provider's ASN means blocking the single IP is sufficient. An IP from a shady, dedicated ASN might suggest that blocking the entire IP range is a smarter, more proactive move. The ASN helps you make that call.
The Domain Game: Registrars and Nameservers
Once you've profiled the network, turn to the domains. I'm not talking about the display `From` domain, but the domains used in the `Return-Path`, the DKIM signature (`d=`), or—most importantly—the links in the email body. These are the attacker's actual, registered assets.
Years ago, a WHOIS query would give you the threat actor's name, address, and phone number. Those days are gone thanks to GDPR and privacy services. But a redacted WHOIS record is not a dead end. It’s a filter. It forces you to focus on the metadata that can't be hidden.
Pivoting Beyond Privacy Guard
Three fields remain invaluable: the registrar, the creation date, and the nameservers. Threat actors are creatures of habit and thrift. They often use the same registrar for all their domains (e.g., Namecheap, Porkbun, NameSilo) because it's familiar or cheap. They often register domains in batches, so if you find one phish domain created on October 24th, searching for other domains with similar patterns created on the same day can reveal their entire stock.
The nameserver pivot is especially powerful. If `evil-phish1.com` uses `ns1.cheap-dns.net` and `ns2.cheap-dns.net`, a reverse nameserver lookup can show you every other domain using that same pair. Since most legitimate businesses use their own vanity nameservers or their registrar's default, a shared, third-party DNS provider is a strong indicator that the domains might be related. You can suddenly cluster dozens of domains together based on this single data point.
The Glass House of Certificate Transparency
Modern phishing requires HTTPS. Attackers know that users have been trained to 'look for the lock icon,' so they provision TLS certificates for their malicious domains. In doing so, they give us one of the highest-fidelity pivots available: Certificate Transparency (CT) logs.
Every publicly trusted Certificate Authority (CA) is required to publish every cert they issue to a public, append-only log. This means we can search for certificates issued for any domain and inspect the contents. It's a goldmine.
Certificate:
Subject: CN = yourbank-secure.com
X509v3 Subject Alternative Name:
DNS:yourbank-secure.com, DNS:portal.yourbank-secure.com, DNS:another-phish.net
Imagine finding a cert for a known phishing domain. By inspecting its Subject Alternative Name (SAN) fields, you might find other domains the attacker bundled into the same certificate request. In the example above, an investigation into `yourbank-secure.com` immediately exposes `another-phish.net`—infrastructure the actor might not have even used yet. You can also pivot on other certificate attributes, like the Organization (O) field or even the public key material, to find related certs and domains.
Rewinding Time with Passive DNS
Infrastructure is not static. IP addresses change. Domains get sinkholed. An indicator that is active today might be gone tomorrow. Passive DNS (pDNS) is your time machine, providing the historical context to connect past and present activity.
Unlike live DNS, which gives you the current answer, pDNS databases are vast archives of historical DNS resolutions collected from sensors across the internet. You can query an IP address and see every domain known to have resolved to it over years. You can query a domain and see every IP it has ever used.
This is how you bridge investigative gaps. Say your phishing email came from the IP `198.51.100.55`. A pDNS lookup on that IP reveals that three months ago, it was used by a domain associated with a Cobalt Strike C2 server. Suddenly, your 'simple' credential phish looks like a potential precursor to a ransomware attack. It connects disparate campaigns by revealing their shared network infrastructure over time, proving that no indicator exists in a vacuum.
Putting It All Together: From Artifact to Actor Profile
These techniques don't exist in isolation. Their power comes from chaining them together in a logical workflow. Let’s walk it through.
You start with a single phishing email. The first untrusted `Received` header points to IP `203.0.113.10`. A `whois` lookup shows it belongs to a VPS provider in the Netherlands. Not a smoking gun, but a start.
Pivot one: You run this IP through a pDNS database. It returns five domains that have resolved to it in the past month. Four are garbage, but one, `corp-benefits-login.com`, matches the theme of your phish. Now you have a domain.
Pivot two: You check the CT logs for `corp-benefits-login.com`. You find a certificate issued three days ago. The cert's SAN field also includes `hr-portal-sso.com` and `it-support-tickets.com`. You’ve just uncovered two more domains, likely for future campaigns.
Pivot three: A WHOIS query on these new domains shows they were all registered via Namecheap on the same day. Using a WHOIS history tool, you search for other domains registered at Namecheap on that day containing the words 'corp', 'portal', or 'login'. You get ten more suspicious hits.
In minutes, you went from one IP address in a single email header to a list of over a dozen domains representing the actor's current and upcoming infrastructure. You've mapped out their operational playbook. This isn't just blocking; it's intelligence.
The takeaway
A single phishing alert is a data point. A cluster of related infrastructure is a profile. The goal of a modern security team isn't to play whack-a-mole with an endless stream of single indicators of compromise. It's to understand the adversary. By pulling on the threads exposed in something as simple as an email header, you move from defense to offense.
Stop thinking about that header as a log entry to be archived. Start treating it like the first clue in a much larger investigation. Having a platform that surfaces these crucial headers and automates some of the initial enrichment, like MailSleuth.AI, can be the difference between closing one ticket and dismantling an entire campaign.
We dissect phishing campaigns and email infrastructure so you don't have to.
