Phishing - Phishmas Greetings Day 12 Learn how to spot phishing emails from Malhare's Eggsploit Bunnies sent to TBFC users. Spotting Phishing Emails Overview Room URL: https://tryhackme.com/room/spottingphishing-aoc2025-r2g4f6s8l0 Difficulty: Medium Category: Phishing Date Completed: 12/12/2025 Objectives Spotting phishing emails learn trending phishing techniques Understand the differences between spam and phishing Table of Contents Introduction Walk Through Lessons Learned Resources Introduction As TBFC's defenses crumble under King Malhare's assault, the Eggsploit Bunnies launch a coordinated phishing campaign designed to exploit the chaos of the Christmas crisis. With McSkidy kidnapped and Wareville's email protections down, attackers have a critical window to compromise employees and deepen their infiltration. The challenge isn't just spotting obvious red flagsā€”it's understanding attacker psychology: how they impersonate trusted contacts, manufacture urgency, and weaponize legitimate tools to steal credentials and access. In this triage operation, you'll learn to separate harmless spam from precision-crafted phishing attacks, identifying the telltale signals that reveal each attacker's true intent. Phishing Indicators SPF/DKIM/DMARC authentication results Sender domain vs. Return-Path discrepancies Free email domains for corporate impersonation Punycode and typosquatting in domain names Social engineering language (urgency, authority, legitimacy) Walk Through Email 1 Email 1 is a invoice from paypal Not all of the links direct to paypal.com It is an invoice for $699.89 the "From" email is service@paypal.com The SPF record failed as Danielle378.onmicrosoft.com sent the email This is a phishing email Spoofing Fake Invoice Sense of Urgency Email 2 Missed Voice message from McSkidy The from address is calls@tbfc.com Has an attachment of Play-Now.mp3 SPF Failed smpt.mailfrom=tbfc.com recieved from gw3097.weakmail.com Email is phishing Spoofing Impersonation Malicious Attachmet Email 3 Email from Mcskidy indicating needs a new vpn, will be unreachable by phone and needs to use personal email From mcskiddy202512@gmail.com SPF Pass Phishing Impersonation Sense of Ugency Social Engineering Text Email 4 Email from TBFC HR about Annual Salary Raise from no-reply@dropbox.com Drop box indicates from hr.tbfc@outlook.com SPF Pass Email is Phishing Impersonation Social Engineering Text External Sender Domain Email 5 Email bout improving event logistics from laura@candycane-co.wv No external links Advertising their platform SPF Pass Spam Email Email 6 TBFC-IT shared a file with you From tbfc-it@tb(f)c.com the f is a Latin character, not English Christmas Flattop Upgrade Agreement Link goes to microsoftooline.co SPF Pass Email is Social Engineering Impersonation Typosquatting/Punnycodes Social Engineering Text Lessons Learned Learned how to identify and distinguish phishing attacks from spam by analyzing sender authentication (SPF/DKIM/DMARC failures), domain legitimacy, and attacker intent. The key is recognizing that phishing targets specific users with precision deception (credential theft, malware delivery, financial fraud), while spam targets quantity for promotion or data harvesting. Authentication failures, spoofed From: fields, and mismatched Return-Path headers are critical indicators. Mastered the recognition of modern phishing techniques including impersonation, social engineering, typosquatting, punycode exploitation, malicious attachments, and the weaponization of legitimate platforms (Dropbox, OneDrive) to bypass security filters and steal credentials. The evolution of phishing now focuses on moving users out of secure email environments into fake login pages and cloud-sharing platforms, making threat detection dependent on understanding attacker psychology and context rather than technical filtering alone. Resources TryHackMe