On Wed, 24 Sep 2025, Alex wrote:
Hi,
Just received a "you have a special message" phish that was delivered
through oracledelivery and leads to an HTML download that loads an M365
login page.
https://pastebin.com/GQtmWakG
It was only tagged by a few basic rules and passed all DKIM/SPF.
X-Spam-Status: No, score=0.912 tagged_above=-200 required=5
tests=[BAYES_20=-0.001, DCC_CHECK=1.1, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, DMARC_PASS=-0.1,
HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_FONT_SIZE_HUGE=0.001,
HTML_MESSAGE=0.001, RELAYCOUNTRY_US=0.01, SPF_HELO_NONE=0.001,
SPF_PASS=-0.001, TRACKER_ID=0.1] autolearn=disabled
Hopefully someone can investigate.
Not much to do with this until/unless sendgb.com gets a poor reputation in
URIBL et. al.
Could add a rule for sendgb.com URIs as "public file sharing, risk of
phishing or malware" but for a publicly accessible file sharing service
the FP liklihood is probably high.
That meta'd with rules for text like "secure document", "your signature",
"payment" and the like might perform better.
Comparison with "legit" file sharing announcements from sendgb.com might
highlight something in this message that indicates it isn't legit, but
that's unlikely.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
[email protected] pgpk -a [email protected]
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
If someone has a gun and is trying to kill you, it would be
reasonable to shoot back with your own gun.
-- the Dalai Lama, May 15, 2001
-----------------------------------------------------------------------
5 days until the 84th anniversary of the massacre at Babi Yar
Disarmament enables genocide - Registration enables disarmament
