[mailop] [FEEDBACK] Azure Spammer Activity

Mon, 07 Dec 2020 17:44:28 -0800

I know, I know.. most already are looking at Azure sourced email with suspicion, but kind of wanted to wait until others chimed in on this one..
Took a bit to actually find examples that made it through our filters, even to sandbox addresses.. because the email's are so obvious.. 

Return-Path: <>
^^^^ Fake Bounce


Received: from adsfsdfeh96cpyn375xf8s.eastus.cloudapp.azure.com (HELO 
7184.peelregion.ca) (13.90.137.227)

        by ...
^^^ No PTR, fake EHLO or stolen Azure resources?

Date: Mon, 07 Dec 2020 23:36:02 +0100
Message-ID: <ef8ie3ppu0nk-ef8ie3ppu0nk+ef8ie3ppu0n...@mx3.cheapnet.it>

^^^ Yeah, like this.. red herring, or an Azure App, allowing email relay

From: "U P S "<prab...@mx3.cheapnet.it>

^^^ Uh, yeah. someone up to no good, they even tried to obfuscate UPS

To: <REDACTTED>
Content-Type: text/html; charset=ISO-8859-1
X-Gm-Message-State: EF8IE3PPU0NK+tZ/EF8IE3PPU0NK+EF8IE3PPU0NK
Subject: Take part in our marketing survey and get $90 : <REDACTTED>

^^^^ Can you say phishing lure?
X-BeenThere: oa...@co.uk

^^^^ Sure you have..

X-Mailman-Version: 2.1.12

^^^^ Red Herring, or ??

Precedence: list
List-Id: EF8IE3PPU0NK <oauth.co.uk>

<center>

<p><a 
href="https://optimized-by.rubiconproject.com/t/[nu6_15]/[nu_6_15]/[nu_6]-57.[nu_9].[nu_8]?url=https://mysp.ac/TLCHWYXSCVEEKGNIWTDDPGFLPHKJXE/../4kSz3#LxSzzPuRRw";><img 
src="https://mysp.ac/TLCHWYXSCVEEKGNIWTDDPGFLPHKJXE/../4kSzJ"; alt="" 
/></a></p>
<p><a 
href="https://optimized-by.rubiconproject.com/t/[nu6_15]/[nu_6_15]/[nu_6]-57.[nu_9].[nu_8]?url=https://mysp.ac/TLCHWYXSCVEEKGNIWTDDPGFLPHKJXE/../4kSz4#LxSzzPuRRw";><img 
src="https://mysp.ac/TLCHWYXSCVEEKGNIWTDDPGFLPHKJXE/../4kSzL"; alt="" 
/></a></p>

</center>

And.. of course the link resolves to...

whois fantasticsurvey.com
   Domain Name: FANTASTICSURVEY.COM
   Registry Domain ID: 2568737389_DOMAIN_COM-VRSN
   Registrar WHOIS Server: whois.name.com
   Registrar URL: http://www.name.com
   Updated Date: 2020-10-28T12:42:56Z
   Creation Date: 2020-10-28T12:42:55Z
   Registry Expiry Date: 2021-10-28T12:42:55Z
   Registrar: Name.com, Inc.
   Registrar IANA ID: 625
   Registrar Abuse Contact Email: ab...@name.com
   Registrar Abuse Contact Phone: 7202492374

   Domain Status: clientTransferProhibited 
https://icann.org/epp#clientTransferProhibited

   Name Server: NS1HWY.NAME.COM
   Name Server: NS2BTZ.NAME.COM
   Name Server: NS3QTY.NAME.COM
   Name Server: NS4BFY.NAME.COM



Hundreds of Azure IP(s) used in this one.. MS, you need to spend a 
little more money on threats from 'within' your networks..




--
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
------------------------------------------------------------------------
604-682-0300 Beautiful British Columbia, Canada

This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop






















					Reply via email to