Slightly sanitized headers: https://pastebin.com/w2JJj8TJ
Email pretends to be a Microsoft voicemail, with an attachment that uses javascript to open a URLEncoded page. Image of page for the more cautious: https://imgur.com/WOpva4Q broken hyperlink for the more adventurous: ttps://objectstorage.us-sanjose-1.oraclecloud.com/n/axcdfbfimho2/b/bucket-dreamland20200806-0427/o/index.html#u...@example.com You can edit the email address at the end to be whatever you like. Microsoft has started putting the emails in the "Junk" folder, but Barracuda just lets them right on through. I'm opening a case with Barracuda as to why they can't catch this, but I'm open to suggestions on other activities I can do. I've seen about a dozen of these, targeting 3 finance-related employees. All are routed through perfora.net, which apparently has an open relay? Anyone know anything about that domain? I'm putting in a rule to block anything that has perfora.net in the header. -------- Eric Henson Windows Server Team Manager PFSweb, Inc. m: 972.948.3424 www.pfsweb.com
_______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
