Analyze a sample phishing email to identify common warning signs, understand attacker techniques, and develop a defensive mindset against social engineering attacks.
| Tool | Purpose |
|---|---|
Sample phishing email (.txt) |
Primary analysis target |
| Raw email header file | Authentication & routing analysis |
| Manual URL inspection | Identifying deceptive links (without clicking) |
The email claims to be from the PayPal Security Team, warning about an unusual login attempt and pressuring the recipient to verify their account within 24 hours or face suspension.
The message contains:
- A suspicious sender address
- Urgent warning language
- A verification link
- A PDF attachment requesting sensitive data
Fake: security-alert@paypa1-verification.com
Legitimate: @paypal.com
The number 1 replaces the letter l in "paypal" β a classic typosquatting trick designed to fool users who glance quickly.
| Check | Result | Meaning |
|---|---|---|
| SPF | β Fail | Sender not authorized by domain |
| DKIM | β None | No cryptographic signature |
| DMARC | β Fail | Domain policy violated |
All three authentication mechanisms failed β a strong indicator of email spoofing.
The email originated from an IP unrelated to PayPal's mail infrastructure, further confirming the sender is not who they claim to be.
Reply-To: support@secure-check-login.ru
Completely different domain from the claimed sender β replies would go directly to the attacker.
https://www.paypal.com.security-check-user-verification.ru/login
The actual domain is security-check-user-verification.ru β not PayPal.
Attackers place the trusted brand name as a subdomain to mislead users.
The email uses fear-based language to rush the victim:
- "Immediate action required"
- "Verify within 24 hours"
- "Account will be suspended"
Phishing often relies more on psychological manipulation than technical sophistication.
This is a credential phishing attack. The goal is to redirect users to a fake login page or collect financial details via the attached form.
If successful, the attacker could:
- Gain unauthorized account access
- Perform fraudulent transactions
- Steal personal and financial information
All screenshots are in the /screenshots folder:
| File | Description |
|---|---|
01_phishing_email.png |
Full phishing email view |
02_sender_address.png |
Spoofed sender domain closeup |
03_email_header.png |
Raw header with SPF/DKIM/DMARC failures |
04_suspicious_url.png |
Deceptive link breakdown |
- How to read and interpret raw email headers
- What SPF, DKIM, and DMARC are and why they matter
- How typosquatting and subdomain tricks work
- Why urgency is one of the most effective phishing weapons
- How to safely inspect URLs without clicking them
Cybersecurity-Internship-Task-2/
βββ README.md
βββ phishing_email_sample.txt
βββ email_header.txt
βββ screenshots/
βββ 01_phishing_email.png
βββ 02_sender_address.png
βββ 03_email_header.png
βββ 04_suspicious_url.png
π This analysis was performed on a sample phishing email for educational purposes only as part of the Elevate Labs Cybersecurity Internship.