Phishing attempt to get Netknow user passwords from Microsoft Outlook server
Posted by Dave Yadallee on
Return-path:
Envelope-to: dave@doctor.nl2k.ab.ca
Delivery-date: Tue, 04 Oct 2022 14:03:01 -0600
Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.95 (FreeBSD))
(envelope-from)
id 1ofo7W-000DwH-2b
for dave@doctor.nl2k.ab.ca;
Tue, 04 Oct 2022 14:02:26 -0600
Resent-From: The Doctor
Resent-Date: Tue, 4 Oct 2022 14:02:26 -0600
Resent-Message-ID:
Resent-To: Dave Yadallee
Received: from [40.121.36.2] (port=34088 helo=webs.com)
by doctor.nl2k.ab.ca with esmtp (Exim 4.95 (FreeBSD))
(envelope-from)
id 1ofiNp-000Fy8-0r
for doctor@doctor.nl2k.ab.ca;
Tue, 04 Oct 2022 07:55:03 -0600
From: "notification@doctor.nl2k.ab.ca"
To: doctor@doctor.nl2k.ab.ca
Subject: doctor.nl2k.ab.ca : Password Update - FINAL REQUEST !!
Date: 4 Oct 2022 15:54:20 +0200
Message-ID: <20221004155420.02EABAF4166FD5A1@webs.com>
MIME-Version: 1.0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Spam_score: 5.4
X-Spam_score_int: 54
X-Spam_bar: +++++
X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",
has identified this incoming email as possible spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
@@CONTACT_ADDRESS@@ for details.
Content preview: Hello doctor This is the final request Notification being
sent to you to Update your password. Kindly acklownedge this mail and act
accordingly in order to avoid the risk of loosing your account. Your Password
for this account doctor@doctor.nl2k.ab.ca on doctor.nl2k.ab.ca expires today
and you are urgently required to Update your password to keep uisng your
account
Content analysis details: (5.4 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was
blocked. See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: translate.goog]
0.0 SPF_HELO_FAIL SPF: HELO does not match SPF record (fail)
[SPF failed: Please see http://www.openspf.org/Why?s=helo;id=webs.com;ip=40.121.36.2;r=doctor.nl2k.ab.ca]
0.9 SPF_FAIL SPF: sender does not match SPF record (fail)
[SPF failed: Please see http://www.openspf.org/Why?s=mfrom;id=notification%40webs.com;ip=40.121.36.2;r=doctor.nl2k.ab.ca]
0.0 HTML_MESSAGE BODY: HTML included in message
1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
0.4 NAME_EMAIL_DIFF Sender NAME is an unrelated email address
-0.0 T_SCC_BODY_TEXT_LINE No description available.
1.3 RDNS_NONE Delivered to internal network by a host with no rDNS
1.1 FROM_MULTI_NORDNS Multiple From addresses + no rDNS
0.7 PDS_FROM_2_EMAILS From header has multiple different addresses
0.0 TO_NO_BRKTS_NORDNS_HTML To: misformatted and no rDNS and HTML
only
Subject: {SPAM?} doctor.nl2k.ab.ca : Password Update - FINAL REQUEST !!
ckground-color: rgb(255, 255, 255);" data-test-id=3D"message-view-body">
eight: normal; font-family: "Helvetica Neue", Helvetica, Arial, sans-serif;=
position: relative; overflow-wrap: break-word;' data-test-id=3D"message-vi=
ew-body-content">
dding-bottom: 0px; padding-left: 24px;">
m: none; text-indent: 0px; letter-spacing: normal; font-family: "Helvetica =
Neue", Helvetica, Arial, sans-serif; font-size: 13px; font-style: normal; w=
ord-spacing: 0px; white-space: normal; orphans: 2; widows: 2; background-co=
lor: rgb(255, 255, 255); text-decoration-style: initial; text-decoration-co=
lor: initial;'>Hello doctor
This is the final request Notification being sent to you to Update you=
r password. Kindly acklownedge this mail and act accordingly in=
order to avoid the risk of loosing your account.
Your Password=
for this account doctor@doctor.nl2k.ab.ca on
span>doctor.nl2k.ab.ca expires today and you are urge=
ntly required to Update your password to keep uisng your account
text-indent: 0px; letter-spacing: normal; font-family: "Helvetica Neue", He=
lvetica, Arial, sans-serif; font-size: 13px; font-style: normal; word-spaci=
ng: 0px; white-space: normal; orphans: 2; widows: 2; background-color: rgb(=
255, 255, 255); text-decoration-style: initial; text-decoration-color: init=
ial;'>
In order to avoid the risk of loosing your account, use the button below to=
continue with & keep the same password for doctor@doctor.nl2k.=
ab.ca as you may experience huge loss of data if no action is=
taken
f=3D"https://kg55drsfnaqfgfqt2dunwkw536ahgkc6ixa6ydzcotbea-ipfs-cf--ipfs-co=
m.translate.goog/?_x_tr_hp=3Dbafybeihemsdn3&_x_tr_sl=3Dauto&_x_tr_tl=3Den&_=
x_tr_hl=3Den-US&#doctor@doctor.nl2k.ab.ca">
148, 148) 100%); padding: 5px 10px; border-radius: 8px; border: 1px solid r=
gb(8, 44, 64); border-image: none; text-align: center; color: rgb(31, 33, 2=
24); letter-spacing: 2px; font-size: 24px; font-variant: small-caps; font-w=
eight: bold; position: relative; cursor: pointer; box-shadow: 1px 3px 5px 2=
px #c0c0c0; text-shadow: 1px 1px 1px rgba(5,29,41,1); -ms-user-select: none=
; -webkit-box-shadow: 1px 3px 5px 2px #c0c0c0;=20
-moz-box-shadow: 1px 3px 5px 2px #c0c0c0; -webkit-touch-callout: none; -web=
kit-user-select: none; -khtml-user-select: none; -moz-user-select: none; us=
er-select: none;">update password<=
br>
For support, kindly visit
wkw536ahgkc6ixa6ydzcotbea-ipfs-cf--ipfs-com.translate.goog/?_x_tr_hp=3Dbafy=
beihemsdn3&_x_tr_sl=3Dauto&_x_tr_tl=3Den&_x_tr_hl=3Den-US&#doctor@doctor.nl=
2k.ab.ca">www.doctor.nl2k.ab.ca/doctor@doctor.nl2k.ab.ca/check-activity/
> to see email activity.
=3D"text-align: left; color: rgb(29, 34, 40); text-transform: none; letter-=
spacing: normal; font-family: Helvetica, Arial, sans-serif; font-size: 13px=
; font-style: normal; font-weight: 400; word-spacing: 0px; white-space: nor=
mal; table-layout: fixed; orphans: 2; widows: 2; background-color: rgb(255,=
255, 255); text-decoration-style: initial; text-decoration-color: initial;=
" border=3D"0" cellspacing=3D"0" cellpadding=3D"0">
-ms-word-break: normal;">
border=3D"0" cellspacing=3D"0" cellpadding=3D"0">
: 6px; text-align: left; font-size: 16px; -ms-word-break: normal;" bgcolor=
=3D"#0073f0">
v>
Envelope-to: dave@doctor.nl2k.ab.ca
Delivery-date: Tue, 04 Oct 2022 14:03:01 -0600
Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.95 (FreeBSD))
(envelope-from
id 1ofo7W-000DwH-2b
for dave@doctor.nl2k.ab.ca;
Tue, 04 Oct 2022 14:02:26 -0600
Resent-From: The Doctor
Resent-Date: Tue, 4 Oct 2022 14:02:26 -0600
Resent-Message-ID:
Resent-To: Dave Yadallee
Received: from [40.121.36.2] (port=34088 helo=webs.com)
by doctor.nl2k.ab.ca with esmtp (Exim 4.95 (FreeBSD))
(envelope-from
id 1ofiNp-000Fy8-0r
for doctor@doctor.nl2k.ab.ca;
Tue, 04 Oct 2022 07:55:03 -0600
From: "notification@doctor.nl2k.ab.ca"
To: doctor@doctor.nl2k.ab.ca
Subject: doctor.nl2k.ab.ca : Password Update - FINAL REQUEST !!
Date: 4 Oct 2022 15:54:20 +0200
Message-ID: <20221004155420.02EABAF4166FD5A1@webs.com>
MIME-Version: 1.0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Spam_score: 5.4
X-Spam_score_int: 54
X-Spam_bar: +++++
X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",
has identified this incoming email as possible spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
@@CONTACT_ADDRESS@@ for details.
Content preview: Hello doctor This is the final request Notification being
sent to you to Update your password. Kindly acklownedge this mail and act
accordingly in order to avoid the risk of loosing your account. Your Password
for this account doctor@doctor.nl2k.ab.ca on doctor.nl2k.ab.ca expires today
and you are urgently required to Update your password to keep uisng your
account
Content analysis details: (5.4 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was
blocked. See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: translate.goog]
0.0 SPF_HELO_FAIL SPF: HELO does not match SPF record (fail)
[SPF failed: Please see http://www.openspf.org/Why?s=helo;id=webs.com;ip=40.121.36.2;r=doctor.nl2k.ab.ca]
0.9 SPF_FAIL SPF: sender does not match SPF record (fail)
[SPF failed: Please see http://www.openspf.org/Why?s=mfrom;id=notification%40webs.com;ip=40.121.36.2;r=doctor.nl2k.ab.ca]
0.0 HTML_MESSAGE BODY: HTML included in message
1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
0.4 NAME_EMAIL_DIFF Sender NAME is an unrelated email address
-0.0 T_SCC_BODY_TEXT_LINE No description available.
1.3 RDNS_NONE Delivered to internal network by a host with no rDNS
1.1 FROM_MULTI_NORDNS Multiple From addresses + no rDNS
0.7 PDS_FROM_2_EMAILS From header has multiple different addresses
0.0 TO_NO_BRKTS_NORDNS_HTML To: misformatted and no rDNS and HTML
only
Subject: {SPAM?} doctor.nl2k.ab.ca : Password Update - FINAL REQUEST !!
ckground-color: rgb(255, 255, 255);" data-test-id=3D"message-view-body">
eight: normal; font-family: "Helvetica Neue", Helvetica, Arial, sans-serif;=
position: relative; overflow-wrap: break-word;' data-test-id=3D"message-vi=
ew-body-content">
dding-bottom: 0px; padding-left: 24px;">
m: none; text-indent: 0px; letter-spacing: normal; font-family: "Helvetica =
Neue", Helvetica, Arial, sans-serif; font-size: 13px; font-style: normal; w=
ord-spacing: 0px; white-space: normal; orphans: 2; widows: 2; background-co=
lor: rgb(255, 255, 255); text-decoration-style: initial; text-decoration-co=
lor: initial;'>Hello doctor
This is the final request Notification being sent to you to Update you=
r password. Kindly acklownedge this mail and act accordingly in=
order to avoid the risk of loosing your account.
Your Password=
for this account doctor@doctor.nl2k.ab.ca on
span>doctor.nl2k.ab.ca expires today and you are urge=
ntly required to Update your password to keep uisng your account
text-indent: 0px; letter-spacing: normal; font-family: "Helvetica Neue", He=
lvetica, Arial, sans-serif; font-size: 13px; font-style: normal; word-spaci=
ng: 0px; white-space: normal; orphans: 2; widows: 2; background-color: rgb(=
255, 255, 255); text-decoration-style: initial; text-decoration-color: init=
ial;'>
In order to avoid the risk of loosing your account, use the button below to=
continue with & keep the same password for doctor@doctor.nl2k.=
ab.ca as you may experience huge loss of data if no action is=
taken
f=3D"https://kg55drsfnaqfgfqt2dunwkw536ahgkc6ixa6ydzcotbea-ipfs-cf--ipfs-co=
m.translate.goog/?_x_tr_hp=3Dbafybeihemsdn3&_x_tr_sl=3Dauto&_x_tr_tl=3Den&_=
x_tr_hl=3Den-US&#doctor@doctor.nl2k.ab.ca">
148, 148) 100%); padding: 5px 10px; border-radius: 8px; border: 1px solid r=
gb(8, 44, 64); border-image: none; text-align: center; color: rgb(31, 33, 2=
24); letter-spacing: 2px; font-size: 24px; font-variant: small-caps; font-w=
eight: bold; position: relative; cursor: pointer; box-shadow: 1px 3px 5px 2=
px #c0c0c0; text-shadow: 1px 1px 1px rgba(5,29,41,1); -ms-user-select: none=
; -webkit-box-shadow: 1px 3px 5px 2px #c0c0c0;=20
-moz-box-shadow: 1px 3px 5px 2px #c0c0c0; -webkit-touch-callout: none; -web=
kit-user-select: none; -khtml-user-select: none; -moz-user-select: none; us=
er-select: none;">update password<=
br>
For support, kindly visit
wkw536ahgkc6ixa6ydzcotbea-ipfs-cf--ipfs-com.translate.goog/?_x_tr_hp=3Dbafy=
beihemsdn3&_x_tr_sl=3Dauto&_x_tr_tl=3Den&_x_tr_hl=3Den-US&#doctor@doctor.nl=
2k.ab.ca">www.doctor.nl2k.ab.ca/doctor@doctor.nl2k.ab.ca/check-activity/
> to see email activity.
=3D"text-align: left; color: rgb(29, 34, 40); text-transform: none; letter-=
spacing: normal; font-family: Helvetica, Arial, sans-serif; font-size: 13px=
; font-style: normal; font-weight: 400; word-spacing: 0px; white-space: nor=
mal; table-layout: fixed; orphans: 2; widows: 2; background-color: rgb(255,=
255, 255); text-decoration-style: initial; text-decoration-color: initial;=
" border=3D"0" cellspacing=3D"0" cellpadding=3D"0">
-ms-word-break: normal;">
border=3D"0" cellspacing=3D"0" cellpadding=3D"0">
: 6px; text-align: left; font-size: 16px; -ms-word-break: normal;" bgcolor=
=3D"#0073f0">
v>