🚨 Phishing Case Study: Real Email Investigation 2025 🚨 In this video, I perform a step-by-step forensic analysis of a phishing campaign that combined: 1. A Deeper Network scam email pretending to offer withdrawal rewards 2. A Brazilian NF-e XML electronic invoice attachment (Nota Fiscal Eletrônica) 3. Delivery via Bling ERP mail servers ( ), which passed SPF, DKIM, and DMARC I’ll show how attackers abused legitimate infrastructure to bypass spam filters, and how I validated the message using professional tools. 🔍 Investigation Workflow 1. Extracting the EML The suspicious email was exported as an .eml file. I analyzed it safely offline using SysTools EML Viewer, preventing accidental clicks. 2. Header Analysis Loaded the raw headers into Gaijin Email Header Analyzer and MXToolbox Header Analyzer. Identified mismatches: • Return-Path: sender@ • From: Deeper Network Support (dpr@ ) • Reply-To: atendimento@ • Confirmed the abuse of Bling’s ERP infra (Amazon AWS IP ). 3. Email Verification • Used Email Verifier and ZeroBounce to check legitimacy of sender domains. • Results showed inconsistencies with the reply-to address, confirming spoofing/social engineering. 4. Attachment Analysis (NF-e XML) • Parsed the XML invoice fields (issuer, recipient, totals, tax info). • While structurally valid, its presence was purely a lure to appear trustworthy. ⚠️ Key Findings • The email passed SPF, DKIM, and DMARC because it originated from a legitimate ERP platform ( ). • Attackers used multi-domain spoofing (Used different Return-Path and Reply-To). • The withdrawal reward lure was a front for phishing/credential theft. • The XML invoice attachment served as a social engineering reinforcement, not a payload. 🗂 Tools Mentioned SysTools EML Viewer: Gaijin Email Header Analyzer: MXToolbox Header Analyzer: Email Verifier: ZeroBounce Email Validation: