Malicious Intent 001: Introducing the Series

What Is Malicious Intent?

Over the years I've accumulated a collection of domains and email addresses — some for business, some for projects, some just parked. And every day, those inboxes fill up with exactly what you'd expect: spam, phishing attempts, credential-harvesting lures, and the occasional piece of sophisticated malware delivered by someone who clearly spent time on it.

Most people delete this stuff immediately. Reasonable response. But as a penetration tester, I can't help but look at these as free intelligence. Every phishing kit reveals something about attacker infrastructure. Every malicious link traces back to a hosting provider, a domain registered three days ago, or a compromised legitimate site. Every malware sample has a command-and-control address and a payload designed for a specific goal.

The Malicious Intent series documents and analyzes specific parts of the large amount of spam and malware I receive on a variety of domains and email addresses — revealing the methods and techniques being used to trick people out of money or into handing over access to their machines.

The Approach

Each post in this series follows a piece of malicious content from initial receipt through complete analysis. Depending on what arrives, that might involve:

• Responding to phishing attempts — Sometimes I engage with the people behind a phishing campaign to see how the social engineering develops, what information they're fishing for, and how they react when the target starts asking questions.
• Following malicious links — In isolated sandbox environments, I follow the links in phishing emails to document the credential-harvesting infrastructure, redirect chains, and landing pages attackers are using.
• Analyzing attachments — Malicious attachments get opened in controlled environments. What does the macro do? Where does it call home? What does it try to install or exfiltrate?
• Mapping infrastructure — Following the thread from a single phishing email back to the hosting provider, the registrar, the bulletproof hoster, or the legitimate site that got compromised and co-opted.

What to Expect in Each Post

Every post will show the original content (redacted where necessary to avoid amplifying attacker infrastructure), walk through the analysis step by step, and close with practical defensive takeaways. The goal isn't academic — it's to show what real attacks look like so you can recognize them when they arrive in your own inbox.

You'll see raw email headers, decoded payloads, HTTP traffic captures, and infrastructure lookups. For example, a typical phishing email header analysis might start with something like this:

Received: from mail.suspiciousdomain.xyz (unknown [185.220.101.42])
        by mx.virtuscybersecurity.com with ESMTP id a1b2c3d4
        for <catchall@virtuscybersecurity.com>
From: "PayPal Security" <security@paypal-verification-center.xyz>
Subject: Your account has been limited - Immediate action required
X-Mailer: The Bat! 9.3
Message-ID: <20260328142301.2a3b4c5d@paypal-verification-center.xyz>

The X-Mailer header alone tells you something interesting — The Bat! is a Windows email client popular in Eastern Europe. The sending IP traces to a Tor exit node. The domain was registered 48 hours before this email was sent, using privacy-protected registration through a Seychelles-based registrar. Three data points, and you already have a picture of the operational security practices of whoever sent this.

Why This Matters for Defenders

Security training often teaches people to look for obvious red flags — misspelled words, strange sender addresses, urgent language. Those are real indicators, but they're also the low-hanging fruit that modern attackers have largely eliminated. The phishing kits being sold on Telegram today produce near-perfect replicas of legitimate bank portals, complete with valid TLS certificates and realistic domain names.

Understanding what the current generation of attacks actually looks like — not from a conference presentation, but from a live sample that landed in a real inbox — is what closes the gap between generic security awareness and the ability to actually recognize a threat in the wild.

Up Next: Jeepers Creepers

The first full analysis post covers a particularly persistent phishing campaign that kept appearing in a catchall inbox over several weeks — adapting its lures, rotating infrastructure, and eventually delivering something interesting enough to warrant a deeper look. Post 001 proper is coming soon.

If you find something in your own inbox that looks interesting and want a second opinion, reach out at jon@virtuscybersecurity.com.