Exam CS0-003 topic 1 question 116 discussion

Correct Review the headers from the forwarded email: Examining the email headers can provide crucial information about the email's source, path, and any intermediaries it went through. This information can help identify signs of spoofing or suspicious behavior. Examine the SPF, DKIM, and DMARC fields from the original email: These three mechanisms (Sender Policy Framework - SPF, DomainKeys Identified Mail - DKIM, and Domain-based Message Authentication, Reporting, and Conformance - DMARC) are used to authenticate the sender's domain and reduce the likelihood of email spoofing. Checking these fields can provide insights into the authenticity of the email.

I think B is a bit of a trick as reviewing the "forwarded" email headers would not provide accurate details of the original path. (unless it is forwarded as an attachment with the original email)

Chat GPT picked B until I pointed out that it was a forwarded email. Great catch — yes, the fact that it’s a forwarded email does matter and can change how useful the headers are.

The two best options for determining the legitimacy of a suspicious email are: Evaluate scoring fields, such as Spam Confidence Level and Bulk Complaint Level (A) – These scores help determine if an email is likely spam or phishing based on predefined filters and reports. Examine the SPF, DKIM, and DMARC fields from the original email (F) – These authentication mechanisms verify whether the email was sent from an authorized source and ensure its integrity.

Threat Analyst here. AF is correct. We are talking about a forwarded email. When my team get a spearphishing email we ALWAYS ask for the original email to be saved and sent to us so we can look at the headers. Forwarded emails will not have that information.

I think the key here is the assumption of a forwarded email. Forwarded email headers already cannot be useful for analysis, and still you have to focus on addressing the question. A is a general, direct answer of the question, while B is operating on assumptions not addressed in the question.

Correct Answers: B. Review the headers from the forwarded email F. Examine the SPF, DKIM, and DMARC fields from the original email Analysis: Review the headers from the forwarded email (B): Email headers contain important metadata, such as the sender’s IP address, email servers involved, and the path taken by the email. Reviewing headers helps in identifying spoofed addresses and abnormal routing paths. Examine the SPF, DKIM, and DMARC fields from the original email (F): These fields help validate the authenticity of the email. SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting & Conformance) are email authentication protocols used to verify that the email was indeed sent from the claimed domain and was not altered in transit.

Forwarded emails DO NOT have headers on the original email. AF is correct. Source: I'm already an analyst and I've seen this multiple times.

Answer is AF. Note that when an email is forwarded, the headers of the original email are not included. So I'll go with AF.

Option BF - Checking the email header and check the SFP...

B. Review the headers from the forwarded email F. Examine the SPF, DKIM, and DMARC fields from the original email

Guys, as a SOC analyst we review the headers and I knowing how CompTIA say things unclearly, I think the "Forwarded" email referee the "Forwarding Email IOC" where, according to the CompTIA Study Guide provided by Dion Training: Forwarding ▪ When a phishing email is formatted to appear as if it has come as part of a reply or forward chain So, I'm going with BF

The answer is B,F. While the forwarded email may not include the complete set of original headers, it often includes headers indicating the path the email took from the sender to the recipient. These headers can still provide insights into the email's origin, intermediate servers it passed through, and other relevant information for assessing its legitimacy and security implications.

E. Evaluate the HELO or EHLO string of the connecting email server: The HELO or EHLO string is part of the SMTP (Simple Mail Transfer Protocol) session initiation and can provide information about the email server that initiated the connection. By examining this string, the analyst can determine if the server is a known or expected sender, which can be a critical factor in assessing the email’s legitimacy. F. Examine the SPF, DKIM, and DMARC fields from the original email: SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance) are email authentication methods that help prevent email spoofing. Analyzing these fields in the email header can help the analyst determine if the email genuinely originated from the stated domain or if it’s a spoofed email.

B&F imo.

As for someone who works in the SOC, we take a look at "BF" first.

If you are 'lucky' one of the first to be attacked by a phishing campaign, scoring will tell you nothing unfortunately.