New The 2026 Continuous Validation Methodology Paper is now available. Read the paper →
Background · 5 Threat Intelligence & Adversary Modeling

Email & Fraud — Investigation Reference.

Triage workflow for a suspicious email (header reasoning, detonation, URL pivot) and the investigative routes for transaction fraud across account, device, and payment dimensions.

Email triage workflow

  1. Pull original .eml. Forwarded copies lose headers. Ask user to "send as attachment" or pull from journaling.
  2. Header reasoning.
    • Return-Path vs From mismatch = display-name spoofing.
    • Authentication-Results: spf=pass dkim=pass dmarc=pass ideally; dmarc=fail = unauthorized sender even if SPF/DKIM individually pass.
    • Received: chain read bottom-up. First hop = actual sender IP. ASN of first hop tells you origin context.
    • Message-ID format often product-specific. Mismatched format + claimed sender = forged.
  3. URL pivot — characterize without tipping the operator.
    • Submit to urlscan.io, VirusTotal — these may notify operator. Use private modes if available.
    • Pull via Tor or rotating residential proxy to avoid attacker's IP allow-list / one-time-use logic.
    • Curl with non-standard UA first; many landing pages serve different content per UA to hide from sandboxes.
  4. Attachment detonation. Cuckoo / Hybrid Analysis / disposable VM. Office docs: oletools (olevba, oleid) for macros without executing.
  5. Victim impact assessment. Did anyone click? Set-MessageTrace in Exchange Online or equivalent. URL click recorded by Safe Links if enabled. Credential entered = account-takeover protocol activates.
  6. Containment. Org-wide quarantine via Exchange / Workspace transport rule using subject + sender pattern. Block URL at proxy + DNS sinkhole.

Fraud — account dimension

  • Login history. New geo, new device, impossible-travel (login from country A at 10:00, country B at 10:05).
  • Auth-method changes. 2FA disabled, password changed, recovery email/phone changed — all in short window = takeover signal.
  • Behavior baseline drift. Action mix (only viewed before, now bulk-exports), session length, time-of-day pattern.
  • Account-friend / referral abuse. Sudden new accounts created from this IP that all received a referral bonus from each other.

Fraud — device dimension

  • Device fingerprint continuity. Same canvas hash, audio context, font list, WebGL params = same browser. Sudden major changes mid-session = session hijack or new device.
  • Geolocation consistency. IP geo + browser timezone + OS locale should align. Accept-Language: en-US + IP in Russia + timezone +03:00 = suspicious.
  • Browser-attribute drift. User-Agent claims Windows 10 but JS detects macOS — bot/proxy.
  • TLS fingerprint (JA3/JA4). Most legit clients produce a small set of fingerprints. New JA4 from a known user account = different software talking.

Fraud — payment dimension

  • Velocity. N transactions per minute exceeding baseline. Per-user, per-card, per-IP, per-shipping-address.
  • BIN abuse. Card BIN from country mismatched to claimed billing address.
  • Shipping abuse. Same shipping address across many accounts; reshipper-known address.
  • 3DS abuse. Forced-frictionless transactions (merchant accepts despite 3DS challenge failure).
  • Processor signals. Stripe Radar, Adyen RevenueProtect emit risk scores. Treat as input, not as truth.
Rule of thumbFor email cases, the single most useful triage signal is the Authentication-Results header combined with the first-hop IP's ASN. For fraud cases, the single most useful signal is the JA4 TLS fingerprint joined to the account history. Train your triage muscle on those two.

Related notes in this domain

From reference to evidence

Run this against your own environment.