TryHackMe - Phishing Prevention room
Phishing Prevention is the fourth room in TryHackMe’s Phishing Analysis module under the SOC Level 1 path. If you're working through the room and get stuck, this guide provides clear hints and answers to help you progress without frustration.Task 2
Q1 Based on TryHackMe's SPF record above, how many domains are authorized to send email on its behalf?
3
Q2 What is the intended action of an email that returns a SoftFail verification result?
Flag
Task 3
Q1 Based on the sample header above, what is the reason for the permerror?
no key for signature
Task 4
Q1 Which DMARC policy provides the greatest amount of protection by blocking emails that fail the DMARC check?
p=reject
Task 5
Q1 Which S/MIME component ensures that only the intended recipient can read the contents of an email message?
Can be found in description of the task - encryption
Task 6
Q1 Which Wireshark filter can you use to narrow down your results based on SMTP response codes?
smtp.response.code
Q2 How many packets in the capture contain the SMTP response code 220 Service ready?
19
Q3 One SMTP response indicates that an email was blocked by spamhaus.org. What response code did the server return?
553
Q4 Based on the packet from the previous question, what is the full Response code: message?
Requested action not taken: mailbox name not allowed (553)
Q5 Search for response code 552. How many messages were blocked for presenting potential security issues?
6
Task 7
Q1 How many SMTP packets are available for analysis?
FIlter pcap file for smtp traffic and count of them is your answer
Q2 What is the name of the attachment in packet 270?
I was sorting the packets by id/number and search for 270 and checked for Line-based text data and seen it there.
Or use option ctrl g and enter the number and go to that packet.
Q3 According to the message in packet 270, which Host IP address is not responding, making the message undeliverable?
You can read through the email content and find the correct IP
Q4 By filtering for imf, which email client was used to send the message containing the attachment attachment.scr?
filter by imf and then look through emails for which email contains the attachment.
Q5 Which type of encoding is used for this potentially malicious attachment?
Answer can be found information under Content-Transfer-Encoding
Task 8
Q1 A security team wants to implement a control to detect hidden malware inside email attachments.
They need a way to analyze suspicious files without risking infection on real systems.
Which protective technique would allow them to observe a file's behavior safely?
Answer can be found in explanation part of this task - Sandboxing
