SOC email triage: headers, SPF/DMARC, and CAB-to-RAR payload hash
Foundations DFIR engagement: analyzed a business-email-compromise lure — subject reference, spoofed From/Reply-To, originating IP ownership, DNS auth records, and a mislabeled CAB attachment whose true type was RAR with a confirmed SHA256.
- Case files
- SOC email triage: headers, SPF/DMARC, and CAB-to-RAR payload hash
Triaged a Mutawa Marine transfer lure: James Jackson From, divergent Reply-To, Hostwinds origin IP, Outlook SPF with quarantine DMARC, and a RAR disguised as CAB.
Extracted subject reference, From/Reply-To split, origin IP/ASN, SPF and DMARC for the Return-Path domain.
Saved CAB-named attachment; file(1) reported RAR; recorded SHA256 and size for IOC sharing.
Engagement summary
Triaged a Mutawa Marine transfer lure: James Jackson From, divergent Reply-To, Hostwinds origin IP, Outlook SPF with quarantine DMARC, and a RAR disguised as CAB.
THE GREENHOLT PHISH was a SOC analyst case: a single malicious message claiming a transfer reference 09674321. Header analysis established From as Mr. James Jackson <info@mutawamarine.com> while Reply-To redirected to info.mutawamarine@mail.com — classic reply diversion. Received headers exposed originating IP 192.119.71.157 (Hostwinds LLC). DNS checks on the Return-Path domain returned SPF v=spf1 include:spf.protection.outlook.com -all and DMARC p=quarantine. The attachment SWT_#09674321____PDF__.CAB was neither PDF nor CAB: magic/type inspection showed RAR; SHA256 2e91c533… and size ~400.26 KB documented for infra correlation. Operator briefing covers display-name trust, authentication alignment, and attachment extension lies.
Business impact
BEC and payload delivery succeed when staff trust From display names and open double-extension archives. Quarantine DMARC without enforcement still allows spoofed looks-alike mail to reach inboxes. Attachment sandboxes must ignore claimed MIME/extension and hash content.
Header and DNS authentication review
Extracted subject reference, From/Reply-To split, origin IP/ASN, SPF and DMARC for the Return-Path domain.
OPERATOR · EMAIL
savvy@lab:~$ grep -iE '^(Subject|From|Reply-To|Return-Path|Received):' greenholt.eml
Subject: ... Transfer Reference Number 09674321 From: Mr. James Jackson <info@mutawamarine.com> Reply-To: info.mutawamarine@mail.com Originating IP: 192.119.71.157
savvy@lab:~$ whois 192.119.71.157 | grep -i org
Hostwinds LLC
savvy@lab:~$ dig +short TXT mutawamarine.com | grep -i spf
v=spf1 include:spf.protection.outlook.com -all
savvy@lab:~$ dig +short TXT _dmarc.mutawamarine.com
v=DMARC1; p=quarantine; fo=1
Attachment type lie and hash documentation
Saved CAB-named attachment; file(1) reported RAR; recorded SHA256 and size for IOC sharing.
OPERATOR · MALWARE
savvy@lab:~$ file "SWT_#09674321____PDF__.CAB"
RAR archive data
savvy@lab:~$ sha256sum "SWT_#09674321____PDF__.CAB"
2e91c533615a9bb8929ac4bb76707b2444597ce063d84a4b33525e25074fff3f
savvy@lab:~$ ls -lh "SWT_#09674321____PDF__.CAB"
400.26 KB
Remediation
Move DMARC to p=reject once legitimate senders align. Block or sandbox RAR/ISO/IMG from external mail. Train analysts to treat Reply-To mismatches and VPS origin IPs as high-severity phishing signals; publish hashes to EDR before users open archives.