Checking Email

Email has been our primary source of communications in digital age. It is based on the conventional post mail concept where it was written at one place (letter head), package and seal (signature), delivered via postman (mail exchange), arrived at recipient (postbox), and lastly, open up and read (read).

However, likewise, there are malicious sender who can forge the mail contents and send you malicious mail, like ordering 500 cockroaches packaged in a sweetest happy birthday wrapping and then mailed to you on birthday. Upon arrival, to prevent these roaches infesting your place, you would want to inspect the contents by calling your real sender to verify the package. Otherwise, either contact the police just in case it is a bomb or something. The rule is never open a malicious package.

The pattern is the same as email. The only difference now is that instead of roaches, you get viruses or malware. They are more sophisticated and complicated that sometimes requires expert tools to handle them.

This section guides you on how to carefully inspect your email effectively to avoid getting malicious threat into your system.

CLARIFICATIONS: In this section, 3 ZORA agents will demonstrate most of the examples. They are:

  1. "Cory" Galyna - acting as attacker / helpful co-worker.
  2. "Anastasia" Oksanochka - acting as victim.
  3. "Holloway" Chew Kean Ho - author of this page and share the role of co-worker.

Step #1: Never Trust Your Email

Upon receiving email, be it from a known and unknown person until you completed the inspection. The idea is part of zero trust policy, where trust is earned.

Step #2: Check Email Metadata

The next thing to do is to explicitly check the email metadata similar to a mailed package. Metadata are the email/package delivery information, such as:

Metadata TypeEmailPackage
NameReceipient NameReceipient Name
LocationReceiver Email Address (TO, CC, BCC)Receiver Home/Office Address
Sender PersonSender NameSender Name
Sender AddressSender Email Address (FROM)Sender Returning Address
Sender RecognitionDigital SignatureInsignia / seal

A lot of metadata here can be exploited for both email and packages. Here are some case studies.

CASE I: Faking Receiver Name

One easy way is to fake the receiver name. Holloway received an email that appears as such on the webmail:

masked email to Holloway

From it appearance, it looks like the sender is Anastasia. However, Holloway carefully inspect the sender email, showing that it was actually sent from Cory.

checked sender email to Holloway

In this kind of situation, Holloway definitely will not trust the email content. Certainly, this is an identity theft which is punishable by law. The best course of action is to document this email and report to the relevant IT security department.

Assuming the received email is genuine from Anastasia, the next thing is to check the given link is not masked with malicious intent. You MUST always check the link before you click.

To do that, you need to:

  1. Right-click on the link.
  2. Select Copy link address.
  3. Paste it on a notepad or text editor to check it.

copy email underlying hyperlink

paste and verify email underlying hyperlink

This will show the true underlying link. From the case study above, it appeared that Holloway was pointed to another site instead of the office’s case archives.

With this checking, Holloway avoided himself from leaking secret data out to external malicious site.

CASE III: Malicious Attachment

Lastly, email with attachments are very commonly seen activity and is the the greatest source of getting a computer infected. Therefore one must carefully deal with attachment.

NOTE: back to the package example, malicious attachment refers to that 500 cockroaches in a beautiful package or malware in email. Either way, you want to avoid both of them.

Cory sent attachment to Holloway

Consider Cory is now sending Holloway a report attachment, after verifying the sender and any links in the email, Holloway then only download the attachment.

IMPORTANT RULE: NEVER entertain any attachment if email is malicious.

Simple logic: if you already know a package has 500 roaches, what is the the first thing you do? Obviously dispose them properly without opening it.

After downlaoded the attachment, you should do the following in sequences:

  1. Scan the attachment with your local anti-malware solution (e.g. Kaspersky). If there is a threat detected, do not open it. Just delete it and approach your tech assistant. Otherwise, follow the next step.
  2. If it is compressed file (zip or tar), you then unzip/untar it.
  3. Repeat step 1 again against the extracted files and directories.

FOR YOUR INFORMATION: some malware is able to get away from a compressed file scanning. Hence, to make sure you’re truly safe, you need to do it as a habit rather than overly relying on anti-malware to protect yourself.

Scan email attchment for malware

Scan decompressed files for malware

Step 3: Process The Email

Once done reading and processing the attachment of the email, you MUST ensure that the email is processed too. That means either:

  1. you print it out as PDF and store it like a file OR
  2. trash it.

The job is considered done when the email left your inbox.

IMPORTANT NOTE: Inbox is not a place for you to store archived emails. Those belong to Archives section or in your datastore. Keeping the Inbox as low as possible actually helps your IT support to quickly identify problems and assist you easily.

Just like your home mailbox, you never clog your mailbox with read mails. Rather, you either archive the contents of the mail or discard it into the trash.