AF-3DFB-EM · E-posta
Spoofed CEO Email
DOWNLOADABLE real .eml. A BEC email that looks like it comes from the CEO. Find the true origin by header correlation; the forged X-Originating-IP is a trap.
Scenario
A real email file (.eml). The From looks like the company CEO but is SPOOFED (spf=fail, dmarc=fail). The true origin is the external server in the Received chain. The attacker set a Reply-To so replies go to them (BEC). A forged X-Originating-IP header looks internal and misleads. Find the true origin IP and the attacker address; do not report the forged header.
Anti-forensics techniques
- Display-name / From spoofing (BEC)
- Forged X-Originating-IP (red herring)
- Received chain correlation
Provided artifacts
- RFC822 email (.eml, full headers)
Sample questions
- q1: What is the email's true origin IP? (Received chain)
- q2: What is the address the attacker expects replies at (Reply-To)?
- q3: Which technique was used? (e.g. spoofing / BEC)
- trap1: Do NOT report the forged X-Originating-IP as the true origin.
Soundness trap
X-Originating-IP looks internal (10.0.0.5) but is forged; reporting it as origin is heavily penalized. The true origin is the external IP in the Received chain.
Scoring
Header correlation + forged-header resistance (soundness).
DOWNLOADABLE
Download and solve
The answer key is hidden (scored set); the flag is encrypted, you must decrypt it.