To provide some specifics around the difficulty and the necessity of
evaluating based on origination data, I am providing three lightly-redacted
examples.
Example 1:
==========
This is one of three attacks received from the same source on the same day.
Common Features:
- Each message impersonated a different victim domain.
- Each message also used an impersonated reply-to address from a different
domain.
- The message flows from the attacker at 88.214.21.123 to outlook.com to me.
- The MailFrom and From address match exactly, and the MailFrom address is
not altered during transit.
- The message takes only 3 hops through outlook.com, and none of the hops
are received by *.office365.com, so my impression is that this is an
initial impersonation, not a malicious forward. Certainty on this point
is not required.
- Each message produces SPF PASS when I receive it, based on a policy of
"v=spf1 include:spf.protection.outlook.com -all"
- Each message is a fraudulent invoice from a non-existent company. There
is no visible connection between the fake invoice company and the real
company being impersonated.
Differences:
- The provided example had a DKIM-Signature for the domain's *.
onmmicrosoft.com account. The other two messages, which are not
shown, had no signature. I do not know why a signature was not applied.
Evaluating identity using origination data:
===========================================
Because of ARC Sets and other authentication data, the initial value of the
MailFrom address is not in doubt, and is unchanged in transit.
To detect the attack, the evaluator must note the SPF failure on the
orignal relay from 88.214.21.123.
Outlook.com provides authentication results three different ways
(Received-SPF, X-MS-Exchange-Authentication-Results, and
ARC-Authentication-Results), so the original MailFrom address is not in
doubt.
If the initial SPF failure is used to send the message to quarantine,
inspection of the message will show that the source IP of 88.214.21.123 is
malicious and should be blocked.
To block the malicious source on future messages, the evaluator must look
past the Source IP used for Helo. Examining the entire Received chain
exposes the malicious Source IP on the initial Received field.
Example 2:
==========
This is a legitimate message from a business partner. Message arrives with
SPF Pass.
Message flow begins with an authenticated client login to Outlook.com,
implied by the initial Received field, which is reported as a loopback
connection from an Outlook.com server to itself using mapi over a private
IP. Outlook.com also asserts spf=pass, dkim=pass, and dmarc=pass, even
though no signature is present. Based on other data, dmarc=pass is applied
in this situation even if the client domain has no dmarc policy.
Outlook.com then adds a DKIM signature.
The message flows from Outlook.com to inkyphishfence.com to outlook.com to
office365.com to outlook.com to me.
When the message returns from inkyphishfence.com to outlook.com, it appears
to be unauthenticated. If the i=1 ARC data is to be believed, it could be
used to ignore the authentication problems at i=2. For whatever reason,
Outlook.com ignores the authentication failure and continues processing.
Outlook.com adds a second DKIM signature, even though the original one is
still verifiable. it also creates ARC set i=3.
An orphaned header field exists, named Authentication-Results-Original.
Presumably, the "-Original" suffix was added by a downstream server. The
field in not in the trace data, and not labelled, so its origins are
uncertain. The results are dkim=none and dmarc=none, which seems
inaccurate at every point of message evaluation. This only serves to
confuse unless it is ignored.
Evaluating identity using origination data:
===========================================
Because of ARC Sets and other authentication data, the initial value of the
MailFrom address is not in doubt, and is unchanged in transit.
Identity can be verified by trusting the ARC set or by noting that the
initial Received entry and corresponding authentication data imply a
message submitted to Outlook.com with an authenticated client.
Example 3:
==========
This is also a legitimate message from a business partner. Message arrives
with SPF PASS, DKIM PASS, DMARC PASS.
As in example 2, the initial Received field and authentication data imply
an authenticated client login. Outlook.com does not add a signature at
this point, or it is added and then later removed by a downstream server.
The message flows from outlook.com to symantec.com to outlook.com to
office365.com to outlook.com to iphmx.com to me.
When the message is relayed from outlook.com to symantec.com, no Received
entry is created. As a result, the first Received entry with a global IP
is the return from Symantec.com to Outlook.com, which fails SPF, DKIM, and
DMARC with p=reject.
Near the top of the trace data, a valid DKIM signature is present.
Although the signature appears before the Received by iphmx.com field, it
was definitely added by iphmx.com. Other data demonstrates that
Outlook.com adds its DKIM signature before adding the ARC set. In this
situation, we know that iphmx.com made changes that invalidated the ARC
Set, so the valid signature had to be added by iphmx.com. Quite possibly,
Outlook.com did add a signature but the iphmx.com server stripped it out
and replaced it with its own, among other changes.
Evaluating identity using origination data:
===========================================
Because of ARC Sets and other authentication data, the initial value of the
MailFrom address is not in doubt, and is unchanged in transit.
When SPF is evaluated based on the Symantec server's global IP, the message
will have SPF=Fail, DKIM=None, and DMARC=fail with reject. If the message
is sent to quarantine, review will indicate that it is legitimate and that
a local policy is need to consider Symantec servers as part of the sender
domain's SPF policy.
X-Envelope-From: user@<victim-domain>.com
Return-Path: <user@<victim-domain>.com>
Received:
from NAM11-DM6-obe.outbound.protection.outlook.com
(mail-dm6nam11hn2214.outbound.protection.outlook.com [52.100.172.214])
by <my server>
with SMTP (version=TLS\Tls12 cipher=Aes256 bits=256);
Fri, 8 Nov 2024 11:22:11 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none;
b=IApAm44JOh3dpXBu9yjlyHrp0U7/0qx+/m3F1gItMkIrtUJtUG+K+OfmhYety5rAeJMbVknAPKxBe8QXSrqoLEyehPCBKMNfXH9wqwxmrel3A1m96WxKTwxViicfsoxNxq+vO/yaHD4n6pVUqhRwOmSRw8ZSMq5HAszal99LOwaQVQv41/hx4jfa8J+1QcotJxCghNPeROxKntGbwlvpzp0GKOmucVo/HZzmN9KnKeGarGHsVCll6fvfpZWo6qq+LGLNZ6LcDyv0p96MYnunQTcUTHis40MrA7xF4z7fbHCbKRzSwNZB+RNIKnwRUSfo8o3rNhLCoQhztOqYd4//lg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector10001;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=mpZd00O9E7YwX++Lx2dJXoTKVYe0jbAxRqKcTHJqnSk=;
b=XnNR3f0fCpS+yVVm6Q+AX5UJ9QyDbpBYY97upDAK56bl55l3s9j2TlGRyIg2RwTVblLi6UWwgHjeUwTl+LDIH1JF3tWz6kwl2/x8nsxweB4i8K+aAprjJWcag3uWYjBeLJ1Hh8F7kBJa4QlRFtQcBX3nEdCAMZD3Tshi84832gZT0ib+lKfUb7TtX1ZK/3jpqPxQVkimcAwPHWzfQvsAVNqPJgtd/rr9q0TuvAoZ8SR3OdBVSewjLzzlkT4Ym3QGvPjGMwgqyNQXYsWiUjTpDTUdk7XH710pEpDT4zLrZLBASBuJiWu679owHKt0fHogsVsm4ufyrCNYZNIKzKPmWA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1;
spf=fail (sender ip is 88.214.21.123) smtp.rcpttodomain=<mydomain>
smtp.mailfrom=<victim-domain>.com;
dmarc=none action=none header.from=<victim-domain>.com;
dkim=none (message not signed);
arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=doscmd.onmicrosoft.com; s=selector2-doscmd-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=mpZd00O9E7YwX++Lx2dJXoTKVYe0jbAxRqKcTHJqnSk=;
b=qAkrSR0rQ6Wh2J8FpmngP+gQZb/rQW22bkL6BxUbKRl3fWxeRVIf/KUJOZr+DmdhbhF5f4oYQJpJ+OZiP+pyzPB2IRuUjo1+SuTYT9ZBB6YY0vaMLE0AvDPf9gmP1k95Zf7ICh2l60wfNmLr+qzA17DNTb0Way3brWLsLOzGcs0=
Received:
from DM6PR02CA0045.namprd02.prod.outlook.com (2603:10b6:5:177::22)
by PH7PR06MB9413.namprd06.prod.outlook.com (2603:10b6:510:2ee::18)
with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)
id 15.20.8137.20;
Fri, 8 Nov 2024 16:22:05 +0000
Received:
from DS3PEPF000099D4.namprd04.prod.outlook.com (2603:10b6:5:177:cafe::e1)
by DM6PR02CA0045.outlook.office365.com (2603:10b6:5:177::22)
with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)
id 15.20.8137.19 via Frontend Transport;
Fri, 8 Nov 2024 16:22:05 +0000
X-MS-Exchange-Authentication-Results:
spf=fail (sender IP is 88.214.21.123) smtp.mailfrom=<victim-domain>.com;
dkim=none (message not signed) header.d=none;
dmarc=none action=none header.from=<victim-domain>.com;
Received-SPF: Fail (protection.outlook.com: domain of <victim-domain>.com does
not designate 88.214.21.123 as permitted sender)
receiver=protection.outlook.com;
client-ip=88.214.21.123; helo=[88.214.21.123];
Received:
from [88.214.21.123] (88.214.21.123)
by DS3PEPF000099D4.mail.protection.outlook.com (10.167.17.5)
with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384)
id 15.20.8137.17 via Frontend Transport;
Fri, 8 Nov 2024 16:22:03 +0000
Reply-To: [email protected]
From: Carol Silberman <brockj349_2@<victim-domain>.com>
To: brockj@<mydomain>
Subject: Invoice 018279 Past-Due
Date: 8 Nov 2024 15:22:01 -0800
Message-ID: <20241108152201.AC5E01902CA7D11B@<victim-domain>.com>
MIME-Version: 1.0
Expires: 08 Nov 2029 15:08:10 -0800
List-Unsubscribe: <mailto:user@<victim-domain>.com>
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable
Return-Path: user@<victim-domain>.com
X-EOPAttributedMessage: 0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: DS3PEPF000099D4:EE_|PH7PR06MB9413:EE_
X-MS-Office365-Filtering-Correlation-Id: 5dd1a23a-08f4-42da-0625-08dd00117b2c
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam:
BCL:0;ARA:13230040|4022899009|36860700013|61400799027|82310400026|376014|8096899003|3613699012|17130700016;
X-Microsoft-Antispam-Message-Info: <redacted>
X-Forefront-Antispam-Report:
CIP:88.214.21.123;CTRY:DE;LANG:en;SCL:9;SRV:;IPV:NLI;SFV:SPM;H:[88.214.21.123];PTR:ErrorRetry;CAT:OSPM;SFS:(13230040)(4022899009)(36860700013)(61400799027)(82310400026)(376014)(8096899003)(3613699012)(17130700016);DIR:OUT;SFP:1501;
X-OriginatorOrg: <victim-domain>.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 08 Nov 2024 16:22:03.3498 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id:
5dd1a23a-08f4-42da-0625-08dd00117b2c
X-MS-Exchange-CrossTenant-Id: 41df11cb-7bc8-45e4-83fc-3337d62ac21f
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp:
TenantId=41df11cb-7bc8-45e4-83fc-3337d62ac21f;Ip=[88.214.21.123];Helo=[[88.214.21.123]]
X-MS-Exchange-CrossTenant-AuthSource: DS3PEPF000099D4.namprd04.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH7PR06MB9413
X-Barracuda-Envelope-From: <senderuser@senderdomain>
Authentication-Results: smtp.<myserver>.<mydomain>; arc=fail
reason="MessageSignatureValidationFailed"
Return-Path: <senderuser@senderdomain>
Received:
from esa.<clientcode>.iphmx.com (esa.<clientcode>.iphmx.com [207.54.86.43])
by <myserver>.<mydomain>
with SMTP (version=TLS\Tls12 cipher=Aes256 bits=256);
Wed, 13 Nov 2024 13:39:20 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;
d=<senderdomain>; i=@<senderdomain>; q=dns/txt; s=Mail;
t=1731523160; x=1763059160;
h=from:to:subject:date:message-id:references:in-reply-to:
mime-version;
bh=m6tDJhJokqpA7mFY3koHNKyOFeQoO08/hMSB4YBLkmY=;
b=eLqFHTM663KsN3vpF4PR0vyeLpOEE9lEAk0rZd49BvNWMaSxj+z8USMg
Gqi52Xr0aMRx+RF3mzyDcagqWYTAbH88YlbLDxyuNmlx4edA9Q9x5awYK
c5ZuOD1FA+gxyRpNqxXPDetE2OCFHKgC1YB7/QjgH6LPprrJbjmJERB/U
0/IJC5URaO0q0AmQKJ1u7fw/CtkXlgiarR2DwmOgyeQI5f6ZWjaI5BAA6
zQucvyRddXBr9QudU/NdnUe13xkkuXvMC/ba9aNVGVHO+mSLkmjb0a73l
Yn6TPu1m2swDPPJQfVY//hpJ0FWanoIS+LnX049IFnvTGUeUbvvWmC/06
A==;
X-CSE-ConnectionGUID: KIVj5d+kREe43ZWGwswVFA==
X-CSE-MsgGUID: 7lbYhWh0RNmkJeKcU67zCg==
X-IronPort-AV: E=Sophos;i="6.12,151,1728964800";
d="png'150?scan'150,208,217,150";a="122213640"
Received:
from mail-mw2nam10lp2042.outbound.protection.outlook.com (HELO
NAM10-MW2-obe.outbound.protection.outlook.com) ([104.47.55.42])
by ob1.<clientcode>.iphmx.com
with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
13 Nov 2024 13:39:19 -0500
ARC-Seal: i=2; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=pass;
b=e071VwoEKKQ2XO8nNwgkKIqfffmheYFwqGy47y+bwasMWe5HAOJ654EAhbxOHzMgT44vZnJV0For5zItYGefKuMxP8Xzfns59Tumf+Cf44uegW8+jyarQXBFD38R+5jSytdyVHM/leRGQuqSZU6VzHIIpLzyeY7QzAGTYDvsqCbWbxC9T0DozjNGn1TzX77rT5j39hO9BbO7l91RQGLYFTTgDCQZ7SIuzFniFxlDCoXMBnF0XWFLKuEyEtAOUpY4+gu9mG2IseF+nqJCYfrC12QYdtsY/icdhjSeVC8QkU83WFiG2GefUS86IiNrRDZSsEpoqYqsugqX2iEuWW7fEg==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector10001;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=71eH4aLMeVJNxAGURAPxxz8EFWtSjEI78uiDxQ9ffwE=;
b=x0fErZhuXRCHeoUhISPvxPZnZFXrNRtSdyLmq/K2pHOh16kVIXGFsqMZC7RKzc77dB5xzm5FIXXmZaz37U6DmWyiybETZ82970wDVQnBn+CQiSfYlVGT5w7zeZ9FNLrxmIYEBD2ZVEEjmIreedZ7pFLQXr52P30kAGv32DTFnxK+hyKEFIDathxCNG8oYKCv5ZlGapnr3jmir2wGKELFKxNGwo6ckIKFEtDVsLq4wS32Os7YqM9ybOwn3/VvyF1uY5vWqVm0TdH4nMf6RS4dSHrjR1XrQYoUsPT7ZCHF9dnpXkCXtjKXzN1+tsdD6kUQGCduTtOTBsjQJQ7lgTdrGA==
ARC-Authentication-Results: i=2; mx.microsoft.com 1;
spf=fail (sender ip is 144.49.247.101) smtp.rcpttodomain=<mydomain>
smtp.mailfrom=<senderdomain>;
dmarc=fail (p=reject sp=reject pct=100) action=oreject
header.from=<senderdomain>;
dkim=none (message not signed);
arc=pass (0 oda=1 ltdi=1
spf=[1,1,smtp.mailfrom=<senderdomain>]
dkim=[1,1,header.d=<senderdomain>]
dmarc=[1,1,header.from=<senderdomain>])
Received:
from BN9PR03CA0393.namprd03.prod.outlook.com (2603:10b6:408:111::8)
by IA3PR22MB5878.namprd22.prod.outlook.com (2603:10b6:208:527::12)
with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)
id 15.20.8137.29;
Wed, 13 Nov 2024 18:39:17 +0000
Received:
from BL6PEPF00020E60.namprd04.prod.outlook.com (2603:10b6:408:111:cafe::3a)
by BN9PR03CA0393.outlook.office365.com (2603:10b6:408:111::8)
with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)
id 15.20.8158.17 via Frontend Transport;
Wed, 13 Nov 2024 18:39:17 +0000
X-MS-Exchange-Authentication-Results:
spf=fail (sender IP is 144.49.247.101) smtp.mailfrom=<senderdomain>;
dkim=none (message not signed) header.d=none;
dmarc=fail action=oreject header.from=<senderdomain>;
Received:
from mail.ds.dlp.protect.symantec.com (144.49.247.101)
by BL6PEPF00020E60.mail.protection.outlook.com (10.167.249.21)
with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)
id 15.20.8158.14 via Frontend Transport;
Wed, 13 Nov 2024 18:39:17 +0000
X-CFilter-Loop: Reflected
<COMMENNT: *** relay hop from outlook.com to symantec.com is not shown *** />
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none;
b=B4Ipo5yFtxHjSmclCajDJViaErvpZIq3FoEl2nt98VN7GXDFNFgMThwSvgo0ZQRtPRF70JwSJ5N76IJP1JwKmzSaMGuRxUgAiQINOn+A9HZT31hkhRI+KoFmTGmQxHI+i2mLTc59vpF40OKu8Cw2ZcMtvYg4jWt6NdPNzqXJ3yp/4HZG7P/b5Rt4lZ8f6MxL0YDayEWyOm9YKUtLZl2D84AmXkPqmYCHQpjoPlybNf5QDkAoC2ROXcLMiKD4WWP3OXZZRd9MXGIIBxDbLWfqh2gBhuQpjoD4W8d8HMNyf3sCBU+pdyfZjIZS90HfdQ1HwWh4gGPQjZ1GcG5zFEFwZQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector10001;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=71eH4aLMeVJNxAGURAPxxz8EFWtSjEI78uiDxQ9ffwE=;
b=uXJ5WefjT9eNbibS6oFWFtQ2vCObkdl8nvi5Gs/p/kliqnS8ktWd5o/G7ShCI2zf28T0nyGPLMkTrnHYS5kZQwarYVLy5Mc7YuH7muiMcBKkLAfblldIrSmFOPuWbQx8Kv1gS6Zco6cnKLS0vcjrtSR+gKy8rcleRp9yuDoZZ/LDusanX4LYEN9GPfJ14Mw0dHICQDPfEhDMsmyD3JUWEsHDBAe2e9o3CjWxrtceba7IZEpH4hD7aZfqstNpfTRj49WFg/xWhSiWznFbpca8q7TOI2ELJHKKt5ZciDkWTYa8R886geCdxCc5B9Es0t/EVt/pIL49K8GFJIqVhiz5Gg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1;
spf=pass smtp.mailfrom=<senderdomain>;
dmarc=pass action=none header.from=<senderdomain>;
dkim=pass header.d=<senderdomain>;
arc=none
Received:
from BLAPR22MB2257.namprd22.prod.outlook.com (2603:10b6:208:27d::18)
by CH4PR22MB5703.namprd22.prod.outlook.com (2603:10b6:610:22c::17)
with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)
id 15.20.8137.28;
Wed, 13 Nov 2024 18:39:14 +0000
Received: from BLAPR22MB2257.namprd22.prod.outlook.com
([fe80::6e9f:b1b3:b69c:d132])
by BLAPR22MB2257.namprd22.prod.outlook.com ([fe80::6e9f:b1b3:b69c:d132%6])
with mapi id 15.20.8158.013;
Wed, 13 Nov 2024 18:39:14 +0000
From: FIRST LAST <senderuser@senderdomain>
To: "FIRST LAST" <user2@<mydomain>>, FIRST LAST <user2@mydomain>
Subject: RE: <redacted>
Thread-Topic: <redacted>
Thread-Index: AQHbNeylbkAOa/B9PUmHcQysaK1VSLK1inLw
Date: Wed, 13 Nov 2024 18:39:14 +0000
Message-ID:
<blapr22mb225799d88e8109c05038dafed8...@blapr22mb2257.namprd22.prod.outlook.com>
References: <c485e724daaf4e5eaef38289239dc308@cc06e894cd5742ef8f27b6906bd5c7d4>
In-Reply-To: <c485e724daaf4e5eaef38289239dc308@cc06e894cd5742ef8f27b6906bd5c7d4>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
Authentication-Results-Original:
dkim=none (message not signed) header.d=none;
dmarc=none action=none header.from=<senderdomain>;
x-ms-traffictypediagnostic:
BLAPR22MB2257:EE_|CH4PR22MB5703:EE_|BL6PEPF00020E60:EE_|IA3PR22MB5878:EE_
X-MS-Office365-Filtering-Correlation-Id: bcba9827-2361-4a7c-18a6-08dd04127abf
X-DetectorID-Processed: 9b95e8c8-8c12-11eb-9ba9-36296fca5712
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam-Untrusted:
BCL:0;ARA:13230040|366016|1800799024|376014|8096899003|38070700018;
X-Microsoft-Antispam-Message-Info-Original: <redacted>
X-Forefront-Antispam-Report-Untrusted:
CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BLAPR22MB2257.namprd22.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(366016)(1800799024)(376014)(8096899003)(38070700018);DIR:OUT;SFP:1101;
Content-Type: multipart/related;
boundary="_004_BLAPR22MB225799D88E8109C05038DAFED85A2BLAPR22MB2257namp_";
type="multipart/alternative"
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH4PR22MB5703
Return-Path: <senderuser>@<senderdomain>
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped:
BL6PEPF00020E60.namprd04.prod.outlook.com
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id-Prvs:
4b679cb4-e3b9-4d8f-ded3-08dd04127946
X-Microsoft-Antispam:
BCL:0;ARA:13230040|36860700013|1800799024|14060799003|376014|35042699022|82310400026|4076899003|8096899003;
X-Microsoft-Antispam-Message-Info: <redacted>
X-Forefront-Antispam-Report:
CIP:144.49.247.101;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.ds.dlp.protect.symantec.com;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230040)(36860700013)(1800799024)(14060799003)(376014)(35042699022)(82310400026)(4076899003)(8096899003);DIR:OUT;SFP:1101;
X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0:
V+vycqlyN1HKpL+QMk1vQjNb5z2aDsvjlrW9Yl/ib03cZbJT4H6ID+z69ijVf1K5hmcn5peDQ4hZiqPSgsFTuCWtpjO8wbWB6KwgNRd/QpvN+j3jc6w7lM2tU/41aaiqVjYsBfpmOOyZ3pDv9dwKDiOTZzOE3LE/Hv9mZIjlDIx0nlbAw/y0CtLSI+bDF4TBbBdFPQMY1mtpvboR4NBZ2u+M3pRABp3L8jk7tHdITmx874pTCGavT0efV76cNsmw6p3cSgNegN9+0NvA9vwK3250xsUJcF44QIUZwTgo5WTROcGrGGU1ps7xbBuE10sfPv0pxUgO+/v5rCAycutzMyeOVOfeoQQAf/bWBPDWQsGuHgN18oWinQftYOmvy1JCSIppK/T+Nxwt+s5oDqaAifFQgmww9hzbwIpGbUTReA3rM3A3c5vxABAK8YpEG43Lq4K4Vv5UOmgmLklF50z8NSw66fNBK2tHLhl8RuNAL8F0Dyfey1cIvbiXwH8cE1RM2eHKg3nv/pExYmcolcdlSwsaz+2rAVtoPNENbt07AQ3X8hkVf9x22Je9fF6QCwHCYjEWWd53H4zgyf1J23o2YHIPiX/9RlSZo7zTbFCpMro=
X-OriginatorOrg: <senderdomain>
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 13 Nov 2024 18:39:17.0182 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id:
bcba9827-2361-4a7c-18a6-08dd04127abf
X-MS-Exchange-CrossTenant-Id: 018402d8-1aee-421c-8768-e93413f2d9b8
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp:
TenantId=018402d8-1aee-421c-8768-e93413f2d9b8;Ip=[144.49.247.101];Helo=[mail.ds.dlp.protect.symantec.com]
X-MS-Exchange-CrossTenant-AuthSource: BL6PEPF00020E60.namprd04.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: IA3PR22MB5878
Authentication-Results: smtp.<myserver>.<mydomain>; arc=pass
Return-Path: <user@senderdomain>
Received:
from NAM04-DM6-obe.outbound.protection.outlook.com
(mail-dm6nam04on2119.outbound.protection.outlook.com [40.107.102.119])
by <myserver>.<mydomain>
with SMTP (version=TLS\Tls12 cipher=Aes256 bits=256);
Mon, 11 Nov 2024 12:37:10 -0500
ARC-Seal: i=3; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=pass;
b=A8ylAXZ07B3UppM5jTNcyTrCLdGK1z/PopZBZvZd6KYE93rT8veGtfNzdRqTaEJDahzWgcah7jJXQCyuiRknenY2Hwq4Ee5jvPCuj/lNb9ptbmkWwbMMJ2f9jqPpoQJgM0U/Wv15FgIMRLvqNMwc8sJqebigVCa5WLFTCcwy3Y2dBkt+Icdb8fZmzSv7w00FnrStz9QnEzYhZPz1KBARwb4rBd4w7MiHrV9hpL2XMnsyh9AJ2Y8EJ+aJ+Zqj9EWGj6k4FH/clFK3cj9B+VhFZiw4Ww4fl5DYcywg4dB/oT0myTKbRW9vsX13kDU8wvrJaOf4t7/lYv/WZBIACiPmvg==
ARC-Message-Signature: i=3; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector10001;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=DdCW90ojW5LyzPz9rFk+Dsqm9IAqsfWbD6kyOqjA2Us=;
b=xkskOr4T0hn6nUmv4C5gLmWXl6u+gcAkK9NUEgplpXk+yzClOp5QqRoQIQ65BNEnRBgznTXauyxoGTcsrnXmVKBuWa7YpdVvHEmjPq6MrOKty4dXLEDRDA3KWpVQm+tVU9NHzHIO6mNLuJ47839n0+HFLEyqVh/tvn8OEa+I9lPf3TicyNmpBRDlRFnrRnwNGS/kTOX0YK0b+08EqhFTmgMFfknjmOgvgJe3/+mobCzwfKNCpkxgNrVMx69dwWYMDXLrcfSEOAzDfjr9dLt202AEYoskhViGBpnOwu3TXKJKTvMWhDLRTyUHcusFKgvmbU8JYVjS6IykVTCZxKbInQ==
ARC-Authentication-Results: i=3; mx.microsoft.com 1;
spf=fail (sender ip is 44.224.15.38) smtp.rcpttodomain=<mydomain>
smtp.mailfrom=<senderdomain>;
dmarc=pass (p=quarantine sp=quarantine pct=100) action=none
header.from=<senderdomain>;
dkim=pass (signature was verified) header.d=<senderdomain>;
arc=pass (0 oda=0 ltdi=0 93)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=<senderdomain>;
s=selector2;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=DdCW90ojW5LyzPz9rFk+Dsqm9IAqsfWbD6kyOqjA2Us=;
b=sSvmT5MkPVIvX3bNt3F/kPvD88TFmZBREHEuQ4BGSiMoRvwZjoM4+RnNIFXcyYOtPxe2QEWmy5QSdkIDYVwv1yE0Jw8GYD6E2s92bi5wwmVsjuqW479XSOeeGeQi/AhC0mWFQ4xy6bbxYU76I6vLO5C9dDvLUoe1/6GnUiddJ/YMl5m99Oby6avra3DM6aAlmUxnH3jDKJ6dzr9npqgQju5SfBhGZjKxPcGLLgL76ZD7ngsxEsCliDzJiOYd8oLT4NZ7APyvWe87yJbWau1AGwGHaHm+xoM77cnP4uEj9z3yapkOeDCkGJp2h0yEDHZAOmlVIXPg7vrFQU7UN8ORYg==
Received:
from SA9PR13CA0130.namprd13.prod.outlook.com (2603:10b6:806:27::15)
by SA1PR08MB9744.namprd08.prod.outlook.com (2603:10b6:806:3cb::8)
with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)
id 15.20.8137.25;
Mon, 11 Nov 2024 17:37:07 +0000
Received:
from SA2PEPF000015CB.namprd03.prod.outlook.com (2603:10b6:806:27:cafe::aa)
by SA9PR13CA0130.outlook.office365.com (2603:10b6:806:27::15)
with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)
id 15.20.8158.11 via Frontend Transport;
Mon, 11 Nov 2024 17:37:07 +0000
X-MS-Exchange-Authentication-Results:
spf=fail (sender IP is 44.224.15.38) smtp.mailfrom=<senderdomain>;
dkim=pass (signature was verified) header.d=<senderdomain>;
dmarc=pass action=none header.from=<senderdomain>;
Received-SPF:
Fail (protection.outlook.com: domain of <senderdomain> does not designate
44.224.15.38 as permitted sender)
receiver=protection.outlook.com;
client-ip=44.224.15.38;
helo=obx-outbound.inkyphishfence.com;
Received:
from obx-outbound.inkyphishfence.com (44.224.15.38)
by SA2PEPF000015CB.mail.protection.outlook.com (10.167.241.201)
with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384)
id 15.20.8158.14 via Frontend Transport;
Mon, 11 Nov 2024 17:37:06 +0000
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed;
d=inkyphishfence.com; s=arc-20181011; t=1731346626; h=mime-version :
message-id : date : subject : to : from;
bh=DdCW90ojW5LyzPz9rFk+Dsqm9IAqsfWbD6kyOqjA2Us=;
b=LX6o0R9jg3DbZJmydvgOfnti/5h6P9s0QdGJOwf9RHGjQC4wtFoukISH/smVKR1iqYFN/
6TtBRuBB9iRyenUMc0BLnX3dALT2GEVZ+rTa2Orf+itWICpsv1700QMUyrUtIGvjbS8aOlc
+jLxfkBRUoZyJK3J7R1rvEhEmk6j8R4=
ARC-Authentication-Results: i=2; obx-inbound.inkyphishfence.com;
spf=pass smtp.mailfrom=<senderdomain>;
dmarc=pass header.from=<senderdomain>;
dkim=pass header.d=<senderdomain>;
arc=pass
ARC-Seal: i=2; cv=pass; a=rsa-sha256; d=inkyphishfence.com;
s=arc-20181011; t=1731346626;
b=YJakPKM6e+/J1yVqJpMmGMHB508g94MQepkiByNaSxMFl5p2kD49eMFWsMsELUm4t3E3p
hw8uVc+L+l09WVB6yFy4q0oc0K7472Gz2jdzQ8Az/IOPBRNMxv5r0w8aXl2ifkPfsO7B6x6
KYsS16XKC+x21pj0YDd9rDuB2yzGQ4E=
Authentication-Results-Original: obx-inbound.inkyphishfence.com;
spf=pass smtp.mailfrom=<senderdomain>;
dmarc=pass header.from=<senderdomain>;
dkim=pass header.d=<senderdomain>;
arc=pass
Received:
from NAM10-MW2-obe.outbound.protection.outlook.com
(mail-mw2nam10lp2046.outbound.protection.outlook.com [104.47.55.46])
by obx-inbound.inkyphishfence.com (Postfix) with ESMTPS id E992CC9F03;
Mon, 11 Nov 2024 17:37:05 +0000 (UTC)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none;
b=aHmC2DmtAFnuNIE6QyWUsJzkF9/NNGm5jkRnsAZiAK564eOuVReXNdlazpd4boBmeg57Ck0JmjdR84QOKwBF/8lF/n6Nu6inqJt/zdoph8fMHJ2sVqYd9IPgFF3NH9P5+SCR+cf0q0gZ79AMqTt/Q1Opg/ujUaavhCAE3qRwQHxuWhmABfpeX/kP3XcMrt6EjNTG+Ithc2a4OU3iqvcOYxWvbopjQYN8+Xk0ChyKb9JoqFLrz6sL8UuPre3k4LcHFyo+Jet8ZYDGJ8tYyfAUo4oJiSotDOXT2+MYdXlNrEXSCLqFl4Yp7piMVM0NwlySwbLLc+mkz7IqmMuwOzbo/w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector10001;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=DdCW90ojW5LyzPz9rFk+Dsqm9IAqsfWbD6kyOqjA2Us=;
b=CaBue9V3qijOKzgfPDGDjRLQ8vJkBScEQq5xvZA8VzzqobyQGwTaz2yUtrdOlicwUSb0lMZyZU64jMg8jShQX9kzXSl/4Lec2SMqPBxF2jRhPb3t2x/0TS4PRoJ0OD4RyQlEs9mMGyqc8IwdNFr3OCw0V1ifvAfGid3opDtgkou1QRBrbbGGLYgZFdIqXlYN25m+TrIzNdExknB0K9wyDm3BQqaSMkbkeIbPFXO/8ZWAWaASoE9oPAds4bIi3vdbLDdnIEeZhwYHoyDPle0C5YYp74PLW19wHAprujy2V1fK4g6YHiLC4B/JggMKdp1wA1CCpEbyLZbW03qpCjVN9g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1;
spf=pass smtp.mailfrom=<senderdomain>;
dmarc=pass action=none header.from=<senderdomain>;
dkim=pass header.d=<senderdomain>; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=<senderdomain>;
s=selector2;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=DdCW90ojW5LyzPz9rFk+Dsqm9IAqsfWbD6kyOqjA2Us=;
b=sSvmT5MkPVIvX3bNt3F/kPvD88TFmZBREHEuQ4BGSiMoRvwZjoM4+RnNIFXcyYOtPxe2QEWmy5QSdkIDYVwv1yE0Jw8GYD6E2s92bi5wwmVsjuqW479XSOeeGeQi/AhC0mWFQ4xy6bbxYU76I6vLO5C9dDvLUoe1/6GnUiddJ/YMl5m99Oby6avra3DM6aAlmUxnH3jDKJ6dzr9npqgQju5SfBhGZjKxPcGLLgL76ZD7ngsxEsCliDzJiOYd8oLT4NZ7APyvWe87yJbWau1AGwGHaHm+xoM77cnP4uEj9z3yapkOeDCkGJp2h0yEDHZAOmlVIXPg7vrFQU7UN8ORYg==
Received:
from PH0PR08MB8446.namprd08.prod.outlook.com (2603:10b6:510:29c::5)
by PH0PR08MB7606.namprd08.prod.outlook.com (2603:10b6:510:10e::9)
with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)
id 15.20.8137.27;
Mon, 11 Nov 2024 17:37:00 +0000
Received:
from PH0PR08MB8446.namprd08.prod.outlook.com ([fe80::523c:82be:df43:1f1f])
by PH0PR08MB8446.namprd08.prod.outlook.com ([fe80::523c:82be:df43:1f1f%3])
with mapi id 15.20.8137.027;
Mon, 11 Nov 2024 17:37:00 +0000
From: <<user>@<senderdomain>>
To: <redacted>
CC: <redacted>
Subject: <redacted>
Thread-Topic: <redacted>
Thread-Index: AQHbNF/dAenfwMNVekanLiayoct9SA==
Date: Mon, 11 Nov 2024 17:36:59 +0000
Message-ID:
<ph0pr08mb8446b41a0305cb5e0f2be91ff8...@ph0pr08mb8446.namprd08.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
msip_labels:
Authentication-Results-Original:
dkim=none (message not signed) header.d=none;
dmarc=none action=none header.from=<senderdomain>;
x-ms-traffictypediagnostic:
PH0PR08MB8446:EE_|PH0PR08MB7606:EE_|SA2PEPF000015CB:EE_|SA1PR08MB9744:EE_
X-MS-Office365-Filtering-Correlation-Id: 140b2dca-fd0d-4ce5-6c0e-08dd027776aa
x-inky-workflow: outside
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam-Untrusted:
BCL:0;ARA:13230040|366016|1800799024|376014|8096899003|38070700018;
X-Microsoft-Antispam-Message-Info-Original: <redacted>
X-Forefront-Antispam-Report-Untrusted:
CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PH0PR08MB8446.namprd08.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(366016)(1800799024)(376014)(8096899003)(38070700018);DIR:OUT;SFP:1102;
Content-Type: multipart/related;
boundary="_005_PH0PR08MB8446B41A0305CB5E0F2BE91FF8582PH0PR08MB8446namp_";
type="multipart/alternative"
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR08MB7606
X-Inky-DestinationTenant: <senderdomain>.mail.protection.outlook.com
X-Inky-CrtDestinationTenant:
inky-client-cert-7kf38jzuqrem3vid1kz25q:<senderdomain>.mail.protection.outlook.com
X-Inky-Outbound-Processed: True
Return-Path: <user>@<senderdomain>
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped:
SA2PEPF000015CB.namprd03.prod.outlook.com
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id-Prvs:
52662fa0-66ef-4e47-e876-08dd0277725e
X-IPW-GroupMember: False
X-Microsoft-Antispam:
BCL:0;ARA:13230040|35042699022|1800799024|14060799003|36860700013|376014|82310400026|4076899003|8096899003;
X-Microsoft-Antispam-Message-Info: <redacted>
X-Forefront-Antispam-Report:
CIP:44.224.15.38;CTRY:US;LANG:en;SCL:1;SRV:;IPV:CAL;SFV:NSPM;H:obx-outbound.inkyphishfence.com;PTR:obx-outbound.inkyphishfence.com;CAT:NONE;SFS:(13230040)(35042699022)(1800799024)(14060799003)(36860700013)(376014)(82310400026)(4076899003)(8096899003);DIR:OUT;SFP:1102;
X-OriginatorOrg: <senderdomain>
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 11 Nov 2024 17:37:06.9691 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id:
140b2dca-fd0d-4ce5-6c0e-08dd027776aa
X-MS-Exchange-CrossTenant-Id: 4791286b-0707-4782-8dae-89fe4a320b09
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp:
TenantId=4791286b-0707-4782-8dae-89fe4a320b09;Ip=[44.224.15.38];Helo=[obx-outbound.inkyphishfence.com]
X-MS-Exchange-CrossTenant-AuthSource: SA2PEPF000015CB.namprd03.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA1PR08MB9744
_______________________________________________
dmarc mailing list -- [email protected]
To unsubscribe send an email to [email protected]
