Correct Review the headers from the forwarded email: Examining the email headers can provide crucial information about the email's source, path, and any intermediaries it went through. This information can help identify signs of spoofing or suspicious behavior. Examine the SPF, DKIM, and DMARC fields from the original email: These three mechanisms (Sender Policy Framework - SPF, DomainKeys Identified Mail - DKIM, and Domain-based Message Authentication, Reporting, and Conformance - DMARC) are used to authenticate the sender's domain and reduce the likelihood of email spoofing. Checking these fields can provide insights into the authenticity of the email.

I think B is a bit of a trick as reviewing the "forwarded" email headers would not provide accurate details of the original path. (unless it is forwarded as an attachment with the original email)

If you are 'lucky' one of the first to be attacked by a phishing campaign, scoring will tell you nothing unfortunately.

A and F F for sure. SPF (Sender Protection Framework), DKIM, and DMARC are your best ways to determine if an email is genuine or not. Hardest to spoof. That leaves A and B as the other viable option. I choose A since headers can be modified, especially when forwarding.

Tough one I really really liked B except for the fact that forwarded emails no longer contain the headers of the original sender. The headers are replaced with the forwarders info. gonna have to go AF for this one.

As for someone who works in the SOC, we take a look at "BF" first.

vote for AF. Why not B - according to comptia, forwarded emails don't include original headers,

Guys, as a SOC analyst we review the headers and I knowing how CompTIA say things unclearly, I think the "Forwarded" email referee the "Forwarding Email IOC" where, according to the CompTIA Study Guide provided by Dion Training: Forwarding ▪ When a phishing email is formatted to appear as if it has come as part of a reply or forward chain So, I'm going with BF

I vote BF because scoring may vary especially for newly emerging threats or zero-days.

After reviewing the question I believe the correct answers would be A and F. F without any doubt. Regarding answer A, the BCL value is added to the message in an X-header and is similar to the spam confidence level (SCL) that's used to identify messages as spam and The Spam Confidence Level (SCL) is a value from 0 to 9 assigned to a message that indicates the likelihood that the message is spam.

B. Review the headers from the forwarded email F. Examine the SPF, DKIM, and DMARC fields from the original email

The answer is B,F. While the forwarded email may not include the complete set of original headers, it often includes headers indicating the path the email took from the sender to the recipient. These headers can still provide insights into the email's origin, intermediate servers it passed through, and other relevant information for assessing its legitimacy and security implications.

E. Evaluate the HELO or EHLO string of the connecting email server: The HELO or EHLO string is part of the SMTP (Simple Mail Transfer Protocol) session initiation and can provide information about the email server that initiated the connection. By examining this string, the analyst can determine if the server is a known or expected sender, which can be a critical factor in assessing the email’s legitimacy. F. Examine the SPF, DKIM, and DMARC fields from the original email: SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance) are email authentication methods that help prevent email spoofing. Analyzing these fields in the email header can help the analyst determine if the email genuinely originated from the stated domain or if it’s a spoofed email.

B&F imo.

Review the headers from the forwarded email: Headers from a forwarded email can sometimes be altered or incomplete, making them less reliable for analysis.