Yeah, that's my theory at the moment, very likely that the call is coming
from inside the house, but they didn't find the person who made the call
before it was made.
Delivered-To: REDACTED
Received: by 2002:a05:640c:1b81:b0:190:7afb:ee7a with SMTP id
r1csp516216eiw;
Fri, 18 Nov 2022 06:23:32 -0800 (PST)
X-Google-Smtp-Source:
AA0mqf6dcoQaNhG4JYaaq7jvwEAJxfF8XCQ2Zy1qPt4mGssaSyPzrvU0HsohJxkBvLOIjhuKLb6N
X-Received: by 2002:a65:67d1:0:b0:476:87ad:9d78 with SMTP id
b17-20020a6567d1000000b0047687ad9d78mr6785903pgs.169.1668781412334;
Fri, 18 Nov 2022 06:23:32 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1668781412; cv=none;
d=google.com; s=arc-20160816;
b=U4pbrfCYSxjulk8kCNLer1j7TfaCaowzf2yDYMqeQMVmG4g/JvAXzf0m4serzWoqTi
OBEY9TrwfM2j3yQssfS8OMOnWmBP+pO7KYBmg67sBb57BdZlx/+txIylik9rNKuyXsEh
O5+LN63Y1RqiSPLK44tgV3uHSeYS5n+qE0gJHgS1lojzvH/tEkxESiQHix+K7sWYnBUt
EXjoD4UKa4x1WGOsOPsb64AYM/AMs2TImhoZCqg+tT2Otsn1/Hz34iMozy9tR0yBB15q
+Eq4bNx9gjV8EpetyAjAQF7XHwWknzhig/MtiVy76GwNuCpUxd8yW+Bw3/fwTtBL6zl6
QFYQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=amq-delivery-message-id:mime-version:from:to:subject
:pp-correlation-id:message-id:date:content-transfer-encoding
:dkim-signature;
bh=+ooJ/KHJ7NcHSktaVA2Efxv2wUuyyzgRC9OcH8lTKPI=;
b=PbkHny3v4CR7wqQUcdh8f9PRFBMO+7dUlCVLzG9d8uDG0Uc+4jNqlkRB5chwPq1AUw
QG3rN1n+lpU1t/MEz0fnZ2k1Rwzrr0j/2L0fHhhX0eJ8UheOHbcVNDSF1hjDfwPayN43
ggWon6WA5mEYJ6jTPt5ODvSC0shj5SrQBq2C57tCG4WOjWGK63UhilfiZS/GgpoyzgvG
UItaCRQKijOkG9k8bNub0rZ77LEdRoCK6RaEe6mhKmTv0doesmgdyhlb8+1e8V8Uvy7T
tqhqfvqUyzVOgL5HmUZIjNl/XkNXA966EGTLfDqf1DWDsf0LRjpZpJiJViixPJ63UMKA
/azQ==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass [email protected] header.s=pp-dkim1 header.b=i5V5Jd8P;
spf=pass (google.com: domain of [email protected] designates
66.211.170.89 as permitted sender) [email protected];
dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=paypal.com
Return-Path: <[email protected]>
Received: from mx1.phx.paypal.com (mx3.phx.paypal.com. [66.211.170.89])
by mx.google.com with ESMTPS id
c5-20020a655a85000000b0044fb332e9c2si4180181pgt.560.2022.11.18.06.23.32
for <REDACTED>
(version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
Fri, 18 Nov 2022 06:23:32 -0800 (PST)
Received-SPF: pass (google.com: domain of [email protected] designates
66.211.170.89 as permitted sender) client-ip=66.211.170.89;
Authentication-Results: mx.google.com;
dkim=pass [email protected] header.s=pp-dkim1 header.b=i5V5Jd8P;
spf=pass (google.com: domain of [email protected] designates
66.211.170.89 as permitted sender) [email protected];
dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=paypal.com
DKIM-Signature: v=1; a=rsa-sha256; d=paypal.com; s=pp-dkim1;
c=relaxed/relaxed;
q=dns/txt; [email protected]; t=1668781410;
h=From:From:Subject:Date:To:MIME-Version:Content-Type;
bh=+ooJ/KHJ7NcHSktaVA2Efxv2wUuyyzgRC9OcH8lTKPI=;
b=i5V5Jd8PU85hThj/qbYYNVtrAe9utMx13ls4RqO/wxfIUwhUDUQ0jzygOkTfY88K
BE74YiE8NsQGHdn4tMuGpInCw+7bnGFPBmOrlk22QztSUjqPH80z6lDtI7NrPpF6
RYaiNevk4cJU4eEXXyr6fIT1fdcDwFdL4WErZ0w0KLpgYwd7dnwgqDrgvDWNJQWd
wzgmA+qZ+9UUrDCsv/h3JCmWBoJaFs3Eaph019ifvg2hLCvZ6Zo3iEqE8aLFQx3b
PDgFKnpTxxI+E1HaIpZJGQwpSI2q7TYrSKvwEBwko9OFXkWe9zlngcE/Km17TlpB
0ujZJGDU7e4EtiOBfTM96g==;
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="UTF-8"
Date: Fri, 18 Nov 2022 06:23:30 -0800
Message-ID: <65.AC.09725.26597736@ccg01mail05>
X-PP-REQUESTED-TIME: 1668781403501
X-PP-Email-transmission-Id: 917850f8-674c-11ed-96b4-3cecef6afc2b
PP-Correlation-Id: f349957836b68
Subject: Invoice from Walmart (0067)
X-MaxCode-Template: RT000238
To: zachery Rose <REDACTED>
From: "[email protected]" <[email protected]>
X-Email-Type-Id: RT000238
MIME-Version: 1.0
X-PP-Priority: 0-none-true
AMQ-Delivery-Message-Id: nullval
X-XPT-XSL-Name: nullval
On Fri, Nov 18, 2022 at 1:44 PM Michael Wise <[email protected]>
wrote:
>
>
> Please share the headers; pictures are not forensic evidence.
>
> We’ve seen similar things, want to see if it’s the same issue.
>
>
>
> Hint: it may have really come from PayPal.
>
>
>
> Aloha,
>
> Michael.
>
> --
>
> *Michael J Wise*
> Microsoft Corporation| Spam Analysis
>
> "Your Spam Specimen Has Been Processed."
>
> Open a ticket for Hotmail <http://go.microsoft.com/fwlink/?LinkID=614866>
> ?
>
>
>
> *From:* mailop <[email protected]> *On Behalf Of *Zach Rose via
> mailop
> *Sent:* Friday, November 18, 2022 7:10 AM
> *To:* [email protected]
> *Subject:* [EXTERNAL] [mailop] Really good paypal phishing email this
> morning
>
>
>
> https://www.screencast.com/t/dNPpByTSjrq
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.screencast.com%2Ft%2FdNPpByTSjrq&data=05%7C01%7Cmichael.wise%40microsoft.com%7Cb8ffa5abe5214b8c37f608dac977757b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638043812173760083%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=SxM5MZ4z3n9nX0eeQAS786bwsB2weMvTeKk0M1TkwIE%3D&reserved=0>
>
>
>
> I rarely use paypal, if ever, and haven't shopped with Walmart in over a
> decade, but I can see how this would fool a lot of people. Passed
> DKIM/SPF/DMARC, and the code of the email itself referenced their own
> static file CDN, so this feels like a scam account internally rather than a
> spoofed email.
>
>
>
>
>
--
All the best,
Zach Rose - StitchedIn
_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop
