Access the room: https://tryhackme.com/room/spottingphishing-aoc2025-r2g4f6s8l0
.png)
Since McSkidy’s disappearance, TBFC’s defences have weakened, and now the Email Protection Platform is down. With filters offline, the staff must triage every suspicious message manually. The SOC Team suspects Malhare’s Eggsploit Bunnies have sent phishing messages to TBFC’s users to steal credentials and disrupt SOC-mas. You’ve joined the Incident Response Task Force to help identify which emails are legit or phishing attempts.
But beware, some phishing attempts are clever, disguised as routine TBFC operations, volunteer sign-ups, or SOC-mas event logistics. Every wrong call could bring Wareville one step closer to EAST-mas becoming a reality.
What is Phishing?
Phishing is a precision strike, carefully crafted to deceive specific users and trick them into revealing sensitive information or performing malicious actions.
Common intentions behind phishing emails:
- Credential theft: Tricking users into revealing passwords or login details.
- Malware delivery: Disguising malicious attachments or links as safe content.
- Data exfiltration: Gathering sensitive company or personal information.
- Financial fraud: Persuading victims to transfer money or approve fake invoices.
Distinguishing Spam from Phishing
Spam is digital noise, sent in bulk to flood inboxes with unwanted marketing or irrelevant content.
Common intentions behind spam messages:
- Promotion: Advertising products, services, or events.
- Scams: Spreading fake offers or “get rich quick” schemes.
- Traffic generation (clickbait): Driving users to external sites or boosting metrics.
- Data harvesting: Collecting active email addresses for future campaigns.
Spotting Phishing Techniques
- Impersonation: Attackers may impersonate a person, department, or service to gain credibility. Check if the sender’s email matches the internal domain or standard email structure of the company.
- Sense of urgency: Phishing emails often use words like “urgent” and “immediately” to pressure the recipient.
- Side channel: Attackers may try to discourage recipients from using standard communication channels (phone and email address) and move the conversation to other platforms.
- Malicious intention: The email may trick the user into giving credentials, approving payments, opening malware, or sharing sensitive data.
5. Advanced Phishing Techniques
- Typosquatting and Punycode: Attackers register common misspellings of an organization’s domain or use punycode to create visually similar domains. For example,
glthub.cominstead ofgithub.comor using punycode to replace Latin letters with similar-looking Unicode characters. - Spoofing: Attackers use email spoofing to make the email appear as if it came from a trusted sender. Check the email headers for
Authentication-ResultsandReturn-Pathto verify the sender's authenticity. - Malicious Attachments: Phishing emails may contain malicious files, often disguised as voice messages, documents, or other attractive content. Once opened, these files can install malware, steal passwords, or give attackers access to the device or network.
6. Trending Phishing Techniques
- Legitimate Applications: Attackers hide behind trusted services like Dropbox, Google Drive/Docs, and OneDrive to make their lures look trustworthy.
- Fake Login Pages: Attackers create fake login pages to steal credentials. These pages mimic legitimate login portals such as Microsoft Office 365 and Google.
- Side Channel Communications: Attackers move the conversation off email to other platforms like SMS, WhatsApp/Telegram, phone or video calls, or shared document platforms to continue the phishing attack.
Step-by-Step Walkthrough
Initial Setup
Start the target machine and access the Wareville Email Threat Inspector at https://LAB_WEB_URL.p.thmlabs.com.
Familiarize yourself with the interface and the sample emails provided
Classifying Email 1:
By analyzing the email and its headers, we can clearly see that the sender’s address is spoofed. The content also creates a sense of urgency and includes a fake invoice, making it obvious that this is a phishing email.
Hooray, we found our first flag! THM{yougotnumber1-keep-it-going}
Classifying Email 2:
By analyzing the second email, we found that it is also spoofing the sender’s email address and pretending to be McSkidy. Additionally, although the email subject claims to contain an audio voice message, the attached file is not an audio file and could potentially be a malicious file.
Hooray, we found our 2nd flag! THM{nmumber2-was-not-tha-thard!}
Classifying Email 3:
The sender’s email comes from a free domain (gmail.com) instead of the official TBFC domain. The subject and message use words like “urgent” and “immediately” to create pressure, and the email asks the recipient to reach out to McSkidy through non-standard communication channels.
Hooray, we found our 3rd flag! THM{Impersonation-is-areal-thing-keepIt}
Classifying Email 4:
Here, the Bad Bunnies are impersonating TBFC HR, using an external sender domain and social engineering the entire salary raise approval process to set a trap and make the email appear authentic, making it clearly a phishing attempt.
Hooray, we found our 4th flag! THM{Get-back-SOC-mas!!}
Classifying Email 5:
The 5th email doesn’t contain anything suspicious; it’s just a promotional spam message from the CandyCane Co Logistic platform, so it’s simply spam.
Hooray, we found our 5th flag! THM{It-was-just-a-sp4m!!}
Classifying Email 6:
The sender’s email uses Punycode (non-ASCII characters) to mimic an official domain, but it’s actually a spoofed address impersonating the TBFC IT team. There is also a link to a sketchy phishing site- ‘microsoftooline.co’ which could steal a user’s credentials if they attempt to sign in.
Hooray, we got our last flag! THM{number6-is-the-last-one!-DX!}
Answers of the THM Lab
Classify the 1st email, what’s the flag?
THM{yougotnumber1-keep-it-going}.
— — — — — — — — — — — — — — — — — — -
Classify the 2nd email, what’s the flag?
THM{nmumber2-was-not-tha-thard!}.
— — — — — — — — — — — — — — — — — — -
Classify the 3rd email, what’s the flag?
THM{Impersonation-is-areal-thing-keepIt}.
— — — — — — — — — — — — — — — — — — -
Classify the 4th email, what’s the flag?
THM{Get-back-SOC-mas!!}.
— — — — — — — — — — — — — — — — — — -
Classify the 5th email, what’s the flag?
THM{It-was-just-a-sp4m!!}.
— — — — — — — — — — — — — — — — — —-
Classify the 6th email, what’s the flag?
THM{number6-is-the-last-one!-DX!}