TryHackMe Phishing Emails Module 1 Walkthrough

The TryHackMe Phishing Emails Module 1 is a free room available at


Task 1 Question: No Answer Needed

The Email Address

The invention of email dates back to the 1970’s for ARPANET –

Task 2 Question: Email dates back to what time frame?

Task 2 Answer: 1970s

Email Delivery

Task 3 Question 1: What port is classified as Secure Transport for SMTP?

Task 3 Answer 1: 465 – For more information –,upgrade%20the%20connection%20through%20TLS.

Task 3 Question 2: What port is classified as Secure Transport for IMAP?

Task 3 Answer 2: 993 – For more information –,to%20use%20these%20secure%20ports.

Task 3 Question 3: What port is classified as Secure Transport for POP3?

Task 3 Answer 3: 995 – For more information:,and%20works%20over%20TLS%2FSSL.

Email Headers

Task 4 Question 1: What email header is the same as “Reply-to”?

Task 4 Answer 1: Return-Path – For more information:,separate%20from%20your%20sending%20address.

Task 4 Question 2: Once you find the email sender’s IP address, where can you retrieve more information about the IP?

Task 4 Answer 2:

Email Body

Task 5 Question 1: In the above screenshots, what is the URI of the blocked image?

Task 5 Answer 1: – Look for a URL which include .png in the URL in the snippet of HTML code

Task 5 Question 2: In the above screenshots, what is the name of the PDF attachment?

Task 5 Answer 2: Payment-updateid.pdf – In the screenshot look for Content-Type application /pdf

Task 5 Question 3:
In the attached virtual machine, view the information in email2.txt and reconstruct the PDF using the base64 data. What is the text within the PDF?

Task 5 Answer 3: THM{BENIGN_PDF_ATTACHMENT} – Use CyberChef ( with the Input of the text and use From Base64 as the Recipe.

Types of Phising

Open up the email using Thunderbird to find the answers

Task 6 Question 1: What trusted entity is this email masquerading as?

Task 6 Answer 1: Home Depot

Task 6 Question 2: What is the sender’s email?

Task 6 Answer 2:

Task 6 Question 3: What is the subject line? 

Task 6 Answer 3: Order Placed : Your Order ID OD2321657089291 Placed Successfully

Task 6 Question 4: What is the URL link for – CLICK HERE? (Enter the defanged URL)

Task 6 Answer 4: hxxp[://]t[.]teckbe[.]com/p/?j3=EOowFcEwFHl6EOAyFcoUFV=TVEchwFHlUFOo6lVTTDcATE7oUE7AUET==

Replace each t with x and replace . with [.] to defang the url


Task 7 Question 1: What is BEC?

Task 7 Answer 1: Business Email Compromise