Re: [mailop] [EXTERNAL] Really good paypal phishing email this morning

Fri, 18 Nov 2022 13:36:24 -0800 

This .. is what I wanted to see.
Did it really go to you, or did it stop off somewhere else first?

              To: zachery Rose <REDACTED>

It does appear that it went direct, so my initial theory is off I guess.

Aloha,
Michael.
--
Michael J Wise
Microsoft Corporation| Spam Analysis
"Your Spam Specimen Has Been Processed."
Open a ticket for Hotmail<http://go.microsoft.com/fwlink/?LinkID=614866> ?

From: mailop <[email protected]> On Behalf Of Zach Rose via mailop
Sent: Friday, November 18, 2022 11:38 AM
Cc: [email protected]
Subject: Re: [mailop] [EXTERNAL] Really good paypal phishing email this morning

Yeah, that's my theory at the moment, very likely that the call is coming from 
inside the house, but they didn't find the person who made the call before it 
was made.


Delivered-To: REDACTED
Received: by 2002:a05:640c:1b81:b0:190:7afb:ee7a with SMTP id r1csp516216eiw;
        Fri, 18 Nov 2022 06:23:32 -0800 (PST)
X-Google-Smtp-Source: 
AA0mqf6dcoQaNhG4JYaaq7jvwEAJxfF8XCQ2Zy1qPt4mGssaSyPzrvU0HsohJxkBvLOIjhuKLb6N
X-Received: by 2002:a65:67d1:0:b0:476:87ad:9d78 with SMTP id 
b17-20020a6567d1000000b0047687ad9d78mr6785903pgs.169.1668781412334;
        Fri, 18 Nov 2022 06:23:32 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1668781412; cv=none;
        
d=google.com<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgoogle.com%2F&data=05%7C01%7Cmichael.wise%40microsoft.com%7Cbb7586c5e56141f7636f08dac9a675ac%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638044014427203034%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=arfXbPGIhcNvczxMaK2yY5%2FdBDJDnpIj7%2FhoXJH4ZoA%3D&reserved=0>;
 s=arc-20160816;
        b=U4pbrfCYSxjulk8kCNLer1j7TfaCaowzf2yDYMqeQMVmG4g/JvAXzf0m4serzWoqTi
         OBEY9TrwfM2j3yQssfS8OMOnWmBP+pO7KYBmg67sBb57BdZlx/+txIylik9rNKuyXsEh
         O5+LN63Y1RqiSPLK44tgV3uHSeYS5n+qE0gJHgS1lojzvH/tEkxESiQHix+K7sWYnBUt
         EXjoD4UKa4x1WGOsOPsb64AYM/AMs2TImhoZCqg+tT2Otsn1/Hz34iMozy9tR0yBB15q
         +Eq4bNx9gjV8EpetyAjAQF7XHwWknzhig/MtiVy76GwNuCpUxd8yW+Bw3/fwTtBL6zl6
         QFYQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; 
d=google.com<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgoogle.com%2F&data=05%7C01%7Cmichael.wise%40microsoft.com%7Cbb7586c5e56141f7636f08dac9a675ac%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638044014427203034%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=arfXbPGIhcNvczxMaK2yY5%2FdBDJDnpIj7%2FhoXJH4ZoA%3D&reserved=0>;
 s=arc-20160816;
        h=amq-delivery-message-id:mime-version:from:to:subject
         :pp-correlation-id:message-id:date:content-transfer-encoding
         :dkim-signature;
        bh=+ooJ/KHJ7NcHSktaVA2Efxv2wUuyyzgRC9OcH8lTKPI=;
        b=PbkHny3v4CR7wqQUcdh8f9PRFBMO+7dUlCVLzG9d8uDG0Uc+4jNqlkRB5chwPq1AUw
         QG3rN1n+lpU1t/MEz0fnZ2k1Rwzrr0j/2L0fHhhX0eJ8UheOHbcVNDSF1hjDfwPayN43
         ggWon6WA5mEYJ6jTPt5ODvSC0shj5SrQBq2C57tCG4WOjWGK63UhilfiZS/GgpoyzgvG
         UItaCRQKijOkG9k8bNub0rZ77LEdRoCK6RaEe6mhKmTv0doesmgdyhlb8+1e8V8Uvy7T
         tqhqfvqUyzVOgL5HmUZIjNl/XkNXA966EGTLfDqf1DWDsf0LRjpZpJiJViixPJ63UMKA
         /azQ==
ARC-Authentication-Results: i=1; 
mx.google.com<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fmx.google.com%2F&data=05%7C01%7Cmichael.wise%40microsoft.com%7Cbb7586c5e56141f7636f08dac9a675ac%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638044014427203034%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=sCTMRpUEXlwJAmJZh0XolMBLwQuZfhmqk2yrQjA9Q2Q%3D&reserved=0>;
       dkim=pass 
[email protected]<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fpaypal.com%2F&data=05%7C01%7Cmichael.wise%40microsoft.com%7Cbb7586c5e56141f7636f08dac9a675ac%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638044014427203034%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=09574BVpNgKnTl7HLGX%2B02jBDctRQf0g4qjhKS7Vs0M%3D&reserved=0>
 header.s=pp-dkim1 header.b=i5V5Jd8P;
       spf=pass 
(google.com<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgoogle.com%2F&data=05%7C01%7Cmichael.wise%40microsoft.com%7Cbb7586c5e56141f7636f08dac9a675ac%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638044014427203034%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=arfXbPGIhcNvczxMaK2yY5%2FdBDJDnpIj7%2FhoXJH4ZoA%3D&reserved=0>:
 domain of [email protected]<mailto:[email protected]> designates 
66.211.170.89 as permitted sender) 
[email protected]<mailto:[email protected]>;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) 
header.from=paypal.com<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fpaypal.com%2F&data=05%7C01%7Cmichael.wise%40microsoft.com%7Cbb7586c5e56141f7636f08dac9a675ac%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638044014427203034%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=09574BVpNgKnTl7HLGX%2B02jBDctRQf0g4qjhKS7Vs0M%3D&reserved=0>
Return-Path: <[email protected]<mailto:[email protected]>>
Received: from 
mx1.phx.paypal.com<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fmx1.phx.paypal.com%2F&data=05%7C01%7Cmichael.wise%40microsoft.com%7Cbb7586c5e56141f7636f08dac9a675ac%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638044014427203034%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=6%2F3UDimZ9sAeZIpRp%2FB5jlnIJ2rmRtg78iPFjR38yEA%3D&reserved=0>
 
(mx3.phx.paypal.com<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fmx3.phx.paypal.com%2F&data=05%7C01%7Cmichael.wise%40microsoft.com%7Cbb7586c5e56141f7636f08dac9a675ac%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638044014427203034%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=7tN9xdDY2iIdgWZx2eYoGCkp4lXC2EFwFJLHGRVXGXg%3D&reserved=0>.
 [66.211.170.89])
        by 
mx.google.com<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fmx.google.com%2F&data=05%7C01%7Cmichael.wise%40microsoft.com%7Cbb7586c5e56141f7636f08dac9a675ac%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638044014427203034%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=sCTMRpUEXlwJAmJZh0XolMBLwQuZfhmqk2yrQjA9Q2Q%3D&reserved=0>
 with ESMTPS id 
c5-20020a655a85000000b0044fb332e9c2si4180181pgt.560.2022.11.18.06.23.32
        for <REDACTED>
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Fri, 18 Nov 2022 06:23:32 -0800 (PST)
Received-SPF: pass 
(google.com<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgoogle.com%2F&data=05%7C01%7Cmichael.wise%40microsoft.com%7Cbb7586c5e56141f7636f08dac9a675ac%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638044014427203034%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=arfXbPGIhcNvczxMaK2yY5%2FdBDJDnpIj7%2FhoXJH4ZoA%3D&reserved=0>:
 domain of [email protected]<mailto:[email protected]> designates 
66.211.170.89 as permitted sender) client-ip=66.211.170.89;
Authentication-Results: 
mx.google.com<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fmx.google.com%2F&data=05%7C01%7Cmichael.wise%40microsoft.com%7Cbb7586c5e56141f7636f08dac9a675ac%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638044014427359251%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=dusUmT74RXLnlnrUBTo3siTgR%2BHEN0%2FOXkrMEmfHL6c%3D&reserved=0>;
       dkim=pass 
[email protected]<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fpaypal.com%2F&data=05%7C01%7Cmichael.wise%40microsoft.com%7Cbb7586c5e56141f7636f08dac9a675ac%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638044014427359251%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=7YNmu7u9TwooCL3VBmywMRai7PRo7d9KAIHhH8xqxrQ%3D&reserved=0>
 header.s=pp-dkim1 header.b=i5V5Jd8P;
       spf=pass 
(google.com<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgoogle.com%2F&data=05%7C01%7Cmichael.wise%40microsoft.com%7Cbb7586c5e56141f7636f08dac9a675ac%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638044014427359251%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=f6QDYTRF1fDwdfJvEUXZYxZc8ScKgif2dp3XchUOJnE%3D&reserved=0>:
 domain of [email protected]<mailto:[email protected]> designates 
66.211.170.89 as permitted sender) 
[email protected]<mailto:[email protected]>;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) 
header.from=paypal.com<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fpaypal.com%2F&data=05%7C01%7Cmichael.wise%40microsoft.com%7Cbb7586c5e56141f7636f08dac9a675ac%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638044014427359251%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=7YNmu7u9TwooCL3VBmywMRai7PRo7d9KAIHhH8xqxrQ%3D&reserved=0>
DKIM-Signature: v=1; a=rsa-sha256; 
d=paypal.com<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fpaypal.com%2F&data=05%7C01%7Cmichael.wise%40microsoft.com%7Cbb7586c5e56141f7636f08dac9a675ac%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638044014427359251%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=7YNmu7u9TwooCL3VBmywMRai7PRo7d9KAIHhH8xqxrQ%3D&reserved=0>;
 s=pp-dkim1; c=relaxed/relaxed;
q=dns/txt; 
[email protected]<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fpaypal.com%2F&data=05%7C01%7Cmichael.wise%40microsoft.com%7Cbb7586c5e56141f7636f08dac9a675ac%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638044014427359251%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=7YNmu7u9TwooCL3VBmywMRai7PRo7d9KAIHhH8xqxrQ%3D&reserved=0>;
 t=1668781410;
h=From:From:Subject:Date:To:MIME-Version:Content-Type;
bh=+ooJ/KHJ7NcHSktaVA2Efxv2wUuyyzgRC9OcH8lTKPI=;
b=i5V5Jd8PU85hThj/qbYYNVtrAe9utMx13ls4RqO/wxfIUwhUDUQ0jzygOkTfY88K
BE74YiE8NsQGHdn4tMuGpInCw+7bnGFPBmOrlk22QztSUjqPH80z6lDtI7NrPpF6
RYaiNevk4cJU4eEXXyr6fIT1fdcDwFdL4WErZ0w0KLpgYwd7dnwgqDrgvDWNJQWd
wzgmA+qZ+9UUrDCsv/h3JCmWBoJaFs3Eaph019ifvg2hLCvZ6Zo3iEqE8aLFQx3b
PDgFKnpTxxI+E1HaIpZJGQwpSI2q7TYrSKvwEBwko9OFXkWe9zlngcE/Km17TlpB
0ujZJGDU7e4EtiOBfTM96g==;
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="UTF-8"
Date: Fri, 18 Nov 2022 06:23:30 -0800
Message-ID: 
<65.AC.09725.26597736@ccg01mail05<mailto:65.AC.09725.26597736@ccg01mail05>>
X-PP-REQUESTED-TIME: 1668781403501
X-PP-Email-transmission-Id: 917850f8-674c-11ed-96b4-3cecef6afc2b
PP-Correlation-Id: f349957836b68
Subject: Invoice from Walmart (0067)
X-MaxCode-Template: RT000238
To: zachery Rose <REDACTED>
From: "[email protected]<mailto:[email protected]>" 
<[email protected]<mailto:[email protected]>>
X-Email-Type-Id: RT000238
MIME-Version: 1.0
X-PP-Priority: 0-none-true
AMQ-Delivery-Message-Id: nullval
X-XPT-XSL-Name: nullval

On Fri, Nov 18, 2022 at 1:44 PM Michael Wise 
<[email protected]<mailto:[email protected]>> wrote:

Please share the headers; pictures are not forensic evidence.
We've seen similar things, want to see if it's the same issue.

Hint: it may have really come from PayPal.

Aloha,
Michael.
--
Michael J Wise
Microsoft Corporation| Spam Analysis
"Your Spam Specimen Has Been Processed."
Open a ticket for 
Hotmail<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgo.microsoft.com%2Ffwlink%2F%3FLinkID%3D614866&data=05%7C01%7Cmichael.wise%40microsoft.com%7Cbb7586c5e56141f7636f08dac9a675ac%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638044014427359251%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=xDNpEMrmXYKeC3rjF5%2FYzbQpRUZSiCBtl%2B2hThB2k%2Bg%3D&reserved=0>
 ?

From: mailop <[email protected]<mailto:[email protected]>> On 
Behalf Of Zach Rose via mailop
Sent: Friday, November 18, 2022 7:10 AM
To: [email protected]<mailto:[email protected]>
Subject: [EXTERNAL] [mailop] Really good paypal phishing email this morning

https://www.screencast.com/t/dNPpByTSjrq<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.screencast.com%2Ft%2FdNPpByTSjrq&data=05%7C01%7Cmichael.wise%40microsoft.com%7Cbb7586c5e56141f7636f08dac9a675ac%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638044014427359251%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=Owt4cCwSw5hZfMYpeAzCKxg8r%2BwjtEK%2BkUExq6o8XcQ%3D&reserved=0>

I rarely use paypal, if ever, and haven't shopped with Walmart in over a 
decade, but I can see how this would fool a lot of people. Passed 
DKIM/SPF/DMARC, and the code of the email itself referenced their own static 
file CDN, so this feels like a scam account internally rather than a spoofed 
email.




--
All the best,
Zach Rose - StitchedIn

_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop

Reply via email to