Looks like this is evolving. The first round was the scammers impersonating PayPal. Looks like they got a handle on that (after a few weeks) but failed to think like the bad guys and anticipate the next round.
Hopefully the fix is something that can be tweaked to cover brands not PayPal rather than having to invent a new system to identify this kind of phish. Laura Sent from my iPhone > On Nov 18, 2022, at 9:35 PM, Michael Wise via mailop <[email protected]> > wrote: > > > > This .. is what I wanted to see. > Did it really go to you, or did it stop off somewhere else first? > > To: zachery Rose <REDACTED> > > It does appear that it went direct, so my initial theory is off I guess. > > Aloha, > Michael. > -- > Michael J Wise > Microsoft Corporation| Spam Analysis > "Your Spam Specimen Has Been Processed." > Open a ticket for Hotmail ? > > From: mailop <[email protected]> On Behalf Of Zach Rose via mailop > Sent: Friday, November 18, 2022 11:38 AM > Cc: [email protected] > Subject: Re: [mailop] [EXTERNAL] Really good paypal phishing email this > morning > > Yeah, that's my theory at the moment, very likely that the call is coming > from inside the house, but they didn't find the person who made the call > before it was made. > > > Delivered-To: REDACTED > Received: by 2002:a05:640c:1b81:b0:190:7afb:ee7a with SMTP id r1csp516216eiw; > Fri, 18 Nov 2022 06:23:32 -0800 (PST) > X-Google-Smtp-Source: > AA0mqf6dcoQaNhG4JYaaq7jvwEAJxfF8XCQ2Zy1qPt4mGssaSyPzrvU0HsohJxkBvLOIjhuKLb6N > X-Received: by 2002:a65:67d1:0:b0:476:87ad:9d78 with SMTP id > b17-20020a6567d1000000b0047687ad9d78mr6785903pgs.169.1668781412334; > Fri, 18 Nov 2022 06:23:32 -0800 (PST) > ARC-Seal: i=1; a=rsa-sha256; t=1668781412; cv=none; > d=google.com; s=arc-20160816; > b=U4pbrfCYSxjulk8kCNLer1j7TfaCaowzf2yDYMqeQMVmG4g/JvAXzf0m4serzWoqTi > OBEY9TrwfM2j3yQssfS8OMOnWmBP+pO7KYBmg67sBb57BdZlx/+txIylik9rNKuyXsEh > O5+LN63Y1RqiSPLK44tgV3uHSeYS5n+qE0gJHgS1lojzvH/tEkxESiQHix+K7sWYnBUt > EXjoD4UKa4x1WGOsOPsb64AYM/AMs2TImhoZCqg+tT2Otsn1/Hz34iMozy9tR0yBB15q > +Eq4bNx9gjV8EpetyAjAQF7XHwWknzhig/MtiVy76GwNuCpUxd8yW+Bw3/fwTtBL6zl6 > QFYQ== > ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; > s=arc-20160816; > h=amq-delivery-message-id:mime-version:from:to:subject > :pp-correlation-id:message-id:date:content-transfer-encoding > :dkim-signature; > bh=+ooJ/KHJ7NcHSktaVA2Efxv2wUuyyzgRC9OcH8lTKPI=; > b=PbkHny3v4CR7wqQUcdh8f9PRFBMO+7dUlCVLzG9d8uDG0Uc+4jNqlkRB5chwPq1AUw > QG3rN1n+lpU1t/MEz0fnZ2k1Rwzrr0j/2L0fHhhX0eJ8UheOHbcVNDSF1hjDfwPayN43 > ggWon6WA5mEYJ6jTPt5ODvSC0shj5SrQBq2C57tCG4WOjWGK63UhilfiZS/GgpoyzgvG > UItaCRQKijOkG9k8bNub0rZ77LEdRoCK6RaEe6mhKmTv0doesmgdyhlb8+1e8V8Uvy7T > tqhqfvqUyzVOgL5HmUZIjNl/XkNXA966EGTLfDqf1DWDsf0LRjpZpJiJViixPJ63UMKA > /azQ== > ARC-Authentication-Results: i=1; mx.google.com; > dkim=pass [email protected] header.s=pp-dkim1 header.b=i5V5Jd8P; > spf=pass (google.com: domain of [email protected] designates > 66.211.170.89 as permitted sender) [email protected]; > dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=paypal.com > Return-Path: <[email protected]> > Received: from mx1.phx.paypal.com (mx3.phx.paypal.com. [66.211.170.89]) > by mx.google.com with ESMTPS id > c5-20020a655a85000000b0044fb332e9c2si4180181pgt.560.2022.11.18.06.23.32 > for <REDACTED> > (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); > Fri, 18 Nov 2022 06:23:32 -0800 (PST) > Received-SPF: pass (google.com: domain of [email protected] designates > 66.211.170.89 as permitted sender) client-ip=66.211.170.89; > Authentication-Results: mx.google.com; > dkim=pass [email protected] header.s=pp-dkim1 header.b=i5V5Jd8P; > spf=pass (google.com: domain of [email protected] designates > 66.211.170.89 as permitted sender) [email protected]; > dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=paypal.com > DKIM-Signature: v=1; a=rsa-sha256; d=paypal.com; s=pp-dkim1; > c=relaxed/relaxed; > q=dns/txt; [email protected]; t=1668781410; > h=From:From:Subject:Date:To:MIME-Version:Content-Type; > bh=+ooJ/KHJ7NcHSktaVA2Efxv2wUuyyzgRC9OcH8lTKPI=; > b=i5V5Jd8PU85hThj/qbYYNVtrAe9utMx13ls4RqO/wxfIUwhUDUQ0jzygOkTfY88K > BE74YiE8NsQGHdn4tMuGpInCw+7bnGFPBmOrlk22QztSUjqPH80z6lDtI7NrPpF6 > RYaiNevk4cJU4eEXXyr6fIT1fdcDwFdL4WErZ0w0KLpgYwd7dnwgqDrgvDWNJQWd > wzgmA+qZ+9UUrDCsv/h3JCmWBoJaFs3Eaph019ifvg2hLCvZ6Zo3iEqE8aLFQx3b > PDgFKnpTxxI+E1HaIpZJGQwpSI2q7TYrSKvwEBwko9OFXkWe9zlngcE/Km17TlpB > 0ujZJGDU7e4EtiOBfTM96g==; > Content-Transfer-Encoding: quoted-printable > Content-Type: text/html; charset="UTF-8" > Date: Fri, 18 Nov 2022 06:23:30 -0800 > Message-ID: <65.AC.09725.26597736@ccg01mail05> > X-PP-REQUESTED-TIME: 1668781403501 > X-PP-Email-transmission-Id: 917850f8-674c-11ed-96b4-3cecef6afc2b > PP-Correlation-Id: f349957836b68 > Subject: Invoice from Walmart (0067) > X-MaxCode-Template: RT000238 > To: zachery Rose <REDACTED> > From: "[email protected]" <[email protected]> > X-Email-Type-Id: RT000238 > MIME-Version: 1.0 > X-PP-Priority: 0-none-true > AMQ-Delivery-Message-Id: nullval > X-XPT-XSL-Name: nullval > > On Fri, Nov 18, 2022 at 1:44 PM Michael Wise <[email protected]> > wrote: > > Please share the headers; pictures are not forensic evidence. > We’ve seen similar things, want to see if it’s the same issue. > > Hint: it may have really come from PayPal. > > Aloha, > Michael. > -- > Michael J Wise > Microsoft Corporation| Spam Analysis > "Your Spam Specimen Has Been Processed." > Open a ticket for Hotmail ? > > From: mailop <[email protected]> On Behalf Of Zach Rose via mailop > Sent: Friday, November 18, 2022 7:10 AM > To: [email protected] > Subject: [EXTERNAL] [mailop] Really good paypal phishing email this morning > > https://www.screencast.com/t/dNPpByTSjrq > > I rarely use paypal, if ever, and haven't shopped with Walmart in over a > decade, but I can see how this would fool a lot of people. Passed > DKIM/SPF/DMARC, and the code of the email itself referenced their own static > file CDN, so this feels like a scam account internally rather than a spoofed > email. > > > > > -- > All the best, > Zach Rose - StitchedIn > _______________________________________________ > mailop mailing list > [email protected] > https://list.mailop.org/listinfo/mailop
_______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
