McAfee Phish from Google Gmail

Posted by Dave Yadallee on
Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Fri, 23 Feb 2024 11:49:00 -0700

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.97.1 (FreeBSD))

(envelope-from )

id 1rdaaj-000000004dp-1Ciz

for dave@doctor.nl2k.ab.ca;

Fri, 23 Feb 2024 11:48:13 -0700

Resent-From: The Doctor

Resent-Date: Fri, 23 Feb 2024 11:48:13 -0700

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from mail-lf1-f41.google.com ([209.85.167.41]:54581)

by doctor.nl2k.ab.ca with esmtps (TLS1.3) tls TLS_AES_128_GCM_SHA256

(Exim 4.97.1 (FreeBSD))

(envelope-from )

id 1rdaAU-00000000BET-0M1A

for doctor@doctor.nl2k.ab.ca;

Fri, 23 Feb 2024 11:21:10 -0700

Received: by mail-lf1-f41.google.com with SMTP id 2adb3069b0e04-512e75e013eso1132476e87.1

for ; Fri, 23 Feb 2024 10:19:04 -0800 (PST)

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;

d=gmail.com; s=20230601; t=1708712337; x=1709317137; darn=doctor.nl2k.ab.ca;

h=date:organization:mime-version:to:subject:from:message-id:from:to

:cc:subject:date:message-id:reply-to;

bh=pLkbiZiTasIsseVv4udDi7Mr/bLOR259rIiDzAHyonY=;

b=UEbElB9WVOBN0D7JIEiwZT2rs5yfrrpDTTWgU0mAifsR9V+jPk/o/WVI6+5f+S3qoC

VUCxnbKhIuo6vmbkNeZamNVf5C1xDH6PuzrZLBi3Ju2ITq3gsXPk6+CyGxl4r6+B5tI9

HkfUQiK9PEhI9UuYcPSmxcZ5hG0TH7kzKGyuubl52gGZ8dAamzedjhGjkeVkgToInMTS

tgPxARTOCQPz+fdt82YQbACrK8QNwcpUec/9kRy8wShKFuw62Y5AXAlSzZBRqT1Iwrve

yDKFaLjrAnMIHF60A645b1Sb0IGoJC8n8/FpM1nFXSosb8gW/vsMFkNJnrPqtnZVQ9Sa

o8Lw==

X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;

d=1e100.net; s=20230601; t=1708712337; x=1709317137;

h=date:organization:mime-version:to:subject:from:message-id

:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;

bh=pLkbiZiTasIsseVv4udDi7Mr/bLOR259rIiDzAHyonY=;

b=qFolZUmEnsd6qDKwaHk21FyJHY1PkN4Dr6Lg8hbBGa7Fx4Z2jXpBDGXfgLB+qreLc2

TIT3naFFcgyotYB7QPkjz4yPOrya5bjROS3sHcmUSMj9jRauSiwUOB21/LqconM4+gW/

5ZUdGFjl1KjYfaSZ0XLSi4MrFG60ws9LceopLWLIY2yrgDUQa3vAZNggCllDhDo53tlw

4DUZbYrSTEEihTj3p8ShdDCHCDEI51sI4CHtvuF0N8scuPsL1oNQGQ2JbK26vRQNtMxo

Hte2B/LabtMXFB5RRPVMgSL7cACgEjkxqvAicy3WBVp1O5Zpep1avyAZtQGv5Nu0Jx7p

ehfg==

X-Gm-Message-State: AOJu0YweY4TdcjGiqRVtHWomBKXj/10Hf9GIPbplVjKDxWcofJ99ynFv

hNUR6aela5EgA4/KSn1F5DIzujztwmnd2QHhlU4tN+lk/JkpM35uQQ4cWsjTJOsfcfTGPw==

X-Google-Smtp-Source: AGHT+IHBaq+UboawQTd37/c6XhGIDfkvAbEqIASbJv/5W4uzIRS/8R+0ndMB0fhRy/YGRpy6JoIv5Q==

X-Received: by 2002:a05:6512:3092:b0:512:be44:6570 with SMTP id z18-20020a056512309200b00512be446570mr397419lfd.36.1708712336938;

Fri, 23 Feb 2024 10:18:56 -0800 (PST)

Received: from 82-132-246-114.dab.02.net (82-132-213-240.dab.02.net. [82.132.213.240])

by smtp.gmail.com with ESMTPSA id r21-20020a50d695000000b00563f3ee5003sm6981638edi.91.2024.02.23.10.18.54

for

(version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);

Fri, 23 Feb 2024 10:18:56 -0800 (PST)

Message-ID: <65d8e190.500a0220.5e5d8.6ee5@mx.google.com>

From: "Wilma L Wilburn"

Subject: Your Subscription: Renewal Successful #60Z8N7

To: doctor@doctor.nl2k.ab.ca

Content-Type: multipart/alternative; boundary="KjY5cflbQfoItwIyi4QMfYrUq=_IpfvF41"

MIME-Version: 1.0

Organization: cc

Date: Fri, 23 Feb 2024 23:48:47 +0530

X-Antivirus: AVG (VPS 240223-0, 2/22/2024), Inbound message

X-Antivirus-Status: Clean



This is a multi-part message in MIME format



--KjY5cflbQfoItwIyi4QMfYrUq=_IpfvF41

Content-Type: text/plain; charset="utf-8"

Content-Transfer-Encoding: quoted-printable

Content-Disposition: inline





McAfee Subscription Renewed=20





Dear Esteemed Customer, DOCTOR@DOCTOR.NL2K.AB.CA



We're pleased to inform you that your McAfee subscription has been suc=

cessfully renewed. This renewal confirms your continued protection and=

access to our premier cybersecurity solutions.



Detailed Renewal Information:





Renewal Aspect



Detail



Subscription Level:McAfee McAfee Ultimate WebGuard

Effective Date:23-02-2024

Charged Amount:$796.00

Billing ID:#LJK7OXT96W





Notice: The charged amount will be visible on your account within the =

next 24-48 hours. We offer a 48-hour post-renewal grace period for any=

considerations or changes you wish to make. Beyond this period, stand=

ard terms apply for any modifications or cancellations.



For any inquiries or additional support, please reach out to our dedic=

ated customer service team. We're here to assist you every step of the=

way.

Call Us: +1-|801|-658*9306



Thank you for your continued trust in McAfee. We look forward to servi=

ng your cybersecurity needs.



Warmest regards,

Wilma L Wilburn

McAfee=E2=84=A2 User Assistance and Support Department

+1-|801|-658*9306



=C2=A9 2024 McAfee. All rights reserved.=20





--KjY5cflbQfoItwIyi4QMfYrUq=_IpfvF41

Content-Type: text/html; charset="utf-8"

Content-Transfer-Encoding: quoted-printable

Content-Disposition: inline








cale=3D1.0">

Subscription Renewal Success











McAfee Subscription Renewed





Dear Esteemed Customer, DOCTOR@DOCTOR.NL2K.AB.CA



We're pleased to inform you that your McAfee subscripti=

on has been successfully renewed. This renewal confirms your continued=

protection and access to our premier cybersecurity solutions.



=20

Detailed Renewal Information:













































Renewal Aspect Detail
Subscription Level: McAfee McAfee SecureVault Elite
Effective Date: 23-02-2024
Charged Amount: $801.00
Billing ID: #R6VITJSZ1B






Notice: The charged amount will be=

visible on your account within the next 24-48 hours. We offer a 48-ho=

ur post-renewal grace period for any considerations or changes you wis=

h to make. Beyond this period, standard terms apply for any modificati=

ons or cancellations.





=20

For any inquiries or additional support, please reach o=

ut to our dedicated customer service team. We're here to assist you ev=

ery step of the way.
Call Us: +1-[801]-658*9306
>

=20

Thank you for your continued trust in McAfee. We look f=

orward to serving your cybersecurity needs.



=20

Warmest regards,


Wilma L Wilburn
McAfee=E2=84=A2 Helpdesk Representatives

>+1-[801]-658*9306







=C2=A9 2024 McAfee. All rights reserved.













--KjY5cflbQfoItwIyi4QMfYrUq=_IpfvF41--



Costco Phish from Microsoft Outlook

Posted by Dave Yadallee on
Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Fri, 23 Feb 2024 08:50:00 -0700

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.97.1 (FreeBSD))

(envelope-from )

id 1rdXnw-00000000JKs-28CR

for dave@doctor.nl2k.ab.ca;

Fri, 23 Feb 2024 08:49:40 -0700

Resent-From: The Doctor

Resent-Date: Fri, 23 Feb 2024 08:49:40 -0700

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from mail-bn8nam11on2100.outbound.protection.outlook.com ([40.107.236.100]:58976 helo=NAM11-BN8-obe.outbound.protection.outlook.com)

by doctor.nl2k.ab.ca with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

(Exim 4.97.1 (FreeBSD))

(envelope-from )

id 1rdXIG-00000000I9U-0Idk

for doctor@doctor.nl2k.ab.ca;

Fri, 23 Feb 2024 08:17:00 -0700

ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;

b=bqYbzDqQYK5bTe3690KeDBeB4hQGPSG1byYveNvOG95Brg1LolcaWv2gQwcoNIVdUsX0M4a/B8bX+i1dxC1/y8RBfTDnlsRzT9og5UQnznFaWFMzGgWqlv47iVWdmrGo1UWJmRLHvSwNMoAWo5B70Odf7vDTlFHHIWbNRNZ9V9ce3a3cjuzmAzmCHUgW+ETwgeRG7dMjc/U9qLQyVN86q9y0iyUKwTGqlVxFa+C7ezZb+nBJiLH3oKgPVJeOgz4hqnHmh5tr6P9w/P4YZHcClDv+xamORxaFt1JbNkNOU/wLKg0FRXZ/fM09XfaEWbNSK2muC+jdPNbFvXf244fL9Q==

ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;

s=arcselector9901;

h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;

bh=S8eaq3V4phAAuDayqn5Xna6yDxMW3cnCeVYFluAW/HE=;

b=gj9+50idZD9JrCY58zoq7cj9sutbLC458K19+Cvnl1MEOdsmevPFindGfexejYTlXOcGimj98s5xWN5O7d0BhmQXngpu8FPKlwm2j1aXC36FY40SMilLtWuY3+XX4Ta5Uh8WzYB5BaIy+Jf/5lJrmCWIbv/hzERJ86OBaNBKD2kWgxL2+yFpoGWkUpAii38irJiRBme8yinSi87vOHqsJpP0PWOqqoMN03yji5TNo1TV8uIVql4pdeqvGX0shhcCEsX+yVdX56AqOunAoQmieBa4xW+JxL9IeyXxJb34xtjatSlu/TmzHK8sthqHS0+i6XAAlSs6AdDgVyWCGgcbFQ==

ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=fail (sender ip is

45.91.8.101) smtp.rcpttodomain=doctor.nl2k.ab.ca

smtp.mailfrom=xel4910.onmicrosoft.com; dmarc=none action=none

header.from=xel4910.onmicrosoft.com; dkim=none (message not signed); arc=none

(0)

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;

d=xel4910.onmicrosoft.com; s=selector2-xel4910-onmicrosoft-com;

h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;

bh=S8eaq3V4phAAuDayqn5Xna6yDxMW3cnCeVYFluAW/HE=;

b=E2uLyHbWV6gibeJOIDJ6bZH9IJXgR8+XqeKP0WgZwmzPeVd1qBVdas1OJIQQMDi2iPS0Up12F11lhFx6yKJKQYPgD1+6kNC6cU1xXe4HSICfwfyGIyBS0s83OI8eaHTzi3kTPWA4Edi8oj/5c9bh+qf6BnuiWxxoexKKA/urVxYNCV/XsVTCYYCYN4wwo/F4FoP9NHhmBmrRrMW7dJvLmlJmOAuPViFaPzD7dwLyN6N62HI2vM9rXlZGLqRjMWpTnC3upo/XJRXvKacZj2FPqoCeWDjqzIRAZeF+1zBHkgSj92HkH9S5Vb89LPHgmMaVG053Pp3FZkJ/pRuqK0kq8A==

X-MS-Exchange-Authentication-Results: spf=fail (sender IP is 45.91.8.101)

smtp.mailfrom=xel4910.onmicrosoft.com; dkim=none (message not signed)

header.d=none;dmarc=none action=none header.from=xel4910.onmicrosoft.com;

Subject: Win Big: Complete Our Survey, Claim Your Prize

From: Costco Department

Date: Fri, 23 Feb 2024 15:57:53 +0100

MIME-Version: 1.0

To: doctor

x-priority: 1

Reply-To: Costco Department

Delivered-To: doctor

X-Sender: admin@xel4910.onmicrosoft.com

Content-Type: multipart/alternative; charset="UTF-8";boundary="K6aS6sPy1pTHPnu11t8etH"

Message-ID:

<8265086a-5cf2-4dc4-a443-4c1404d6d84c@SJ5PEPF000001D2.namprd05.prod.outlook.com>

X-EOPAttributedMessage: 0

X-MS-PublicTrafficType: Email

X-MS-TrafficTypeDiagnostic: SJ5PEPF000001D2:EE_|BL1PR18MB4262:EE_

X-MS-Office365-Filtering-Correlation-Id: 97f16cf5-333c-461f-76f5-08dc34822d5d

X-MS-Exchange-SenderADCheck: 1

X-MS-Exchange-AntiSpam-Relay: 0

X-Microsoft-Antispam: BCL:0;

X-Microsoft-Antispam-Message-Info:

WSSTlD/JW24hOAtbcA61Vu7jTM4XEvCNisW7Xui+pfdLX31wgNQ0Bs9gMfsEY/nIo8sAgnnZVBZE/j4CLZ9ol7zE9eE2xJiP6fRU2G73SfwIyzmAJFRSesl1H8kX7b0Z3gDU1gtOgRve12nWwpTojkdkNgKPUytKeFhBO9AI0jTuUNFpZHnmiexlvCw5W4wuVBq7j2yym7pqYMsi4Lxz1rv5w+0Ci7ox3vD8NG35pWJ6uZ7Ire02RA3hqz9oO1Nm2zVd5u5DU7lTfDRUy/Ol/sObsjw78wV2uOdLKTCOMsFTJqn5zpp/R5HzgecWgntZ7fcUjgibH4eeJ3PXI/aobWtq8mIsqfx68SMhs1sjtrb4IEWn+GvzwGszK+yOYqrvAzxqycYGaTFYH+Ml/XNnzg==

X-Forefront-Antispam-Report:

CIP:45.91.8.101;CTRY:RU;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.vizio.com;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230031)(7200799017)(36860700004)(40470700004)(46966006)(85622047);DIR:OUT;SFP:1102;

X-OriginatorOrg: xel4910.onmicrosoft.com

X-MS-Exchange-CrossTenant-OriginalArrivalTime: 23 Feb 2024 15:14:48.7041

(UTC)

X-MS-Exchange-CrossTenant-Network-Message-Id: 97f16cf5-333c-461f-76f5-08dc34822d5d

X-MS-Exchange-CrossTenant-Id: 3757439f-02de-4d3e-a90a-4cc757e20afa

X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=3757439f-02de-4d3e-a90a-4cc757e20afa;Ip=[45.91.8.101];Helo=[mail.vizio.com]

X-MS-Exchange-CrossTenant-AuthSource:

SJ5PEPF000001D2.namprd05.prod.outlook.com

X-MS-Exchange-CrossTenant-AuthAs: Anonymous

X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem

X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL1PR18MB4262

X-Spam_score: 11.5

X-Spam_score_int: 115

X-Spam_bar: +++++++++++

X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original

message has been attached to this so you can view it or label

similar future email. If you have any questions, see

@@CONTACT_ADDRESS@@ for details.



Content preview: b1SeBjHoxRe8M b1SeBjHoxRe8M b1SeBjHoxRe8M b1SeBjHoxRe8M v597u2lhqhukn

v597u2lhqhukn v597u2lhqhukn v597u2lhqhukn elOR7qramkc3 elOR7qramkc3 elOR7qramkc3

elOR7qramkc3 2ehdBNC4DV 2ehdBNC4DV 2ehdBNC4DV 2eh [...]



Content analysis details: (11.5 points, 5.0 required)



pts rule name description

---- ---------------------- --------------------------------------------------

1.9 URIBL_ABUSE_SURBL Contains an URL listed in the ABUSE SURBL blocklist

[URI: utorent.blob.core.windows.net]

-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no

trust

[40.107.236.100 listed in list.dnswl.org]

-0.0 SPF_PASS SPF: sender matches SPF record

-0.0 SPF_HELO_PASS SPF: HELO matches SPF record

-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature

0.0 ARC_VALID Message has a valid ARC signature

0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid

-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's

domain

-0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from

envelope-from domain

0.0 ARC_SIGNED Message has a ARC signature

0.5 FROM_LOCAL_NOVOWEL From: localpart has series of non-vowel letters

1.0 HK_RANDOM_REPLYTO Reply-To username looks random

1.0 HK_RANDOM_FROM From username looks random

-0.2 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2)

[40.107.236.100 listed in wl.mailspike.net]

0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider

[customer-care-kgwpkvfpsstqh(at)xel4910.onmicrosoft.com]

0.1 TW_HQ BODY: Odd Letter Triples with HQ

0.1 TW_QH BODY: Odd Letter Triples with QH

0.1 TW_LH BODY: Odd Letter Triples with LH

0.1 TW_MK BODY: Odd Letter Triples with MK

1.6 HTML_IMAGE_ONLY_12 BODY: HTML: images with 800-1200 bytes of words

0.0 HTML_MESSAGE BODY: HTML included in message

0.7 MPART_ALT_DIFF BODY: HTML and text parts are different

0.0 MIME_QP_LONG_LINE RAW: Quoted-printable line longer than 76 chars

-0.0 T_SCC_BODY_TEXT_LINE No description available.

0.1 HTML_SHORT_LINK_IMG_1 HTML is very short with a linked image

1.0 FREEMAIL_REPLYTO Reply-To/From or Reply-To/body contain different

freemails

1.0 XPRIO Has X-Priority header

2.7 SCC_BODY_URI_ONLY Very short body with something maybe clickable

0.0 T_STY_INVIS_DIRECT HTML hidden text + direct-to-MX

0.0 T_REMOTE_IMAGE Message contains an external image

Subject: {SPAM?} Win Big: Complete Our Survey, Claim Your Prize

X-Antivirus: AVG (VPS 240223-0, 2/22/2024), Inbound message

X-Antivirus-Status: Clean



--cd4afNeJzQsgzn5EVIgmycg24Xks3Rpw

Content-Type: multipart/alternative; boundary="K6aS6sPy1pTHPnu11t8etH"



--K6aS6sPy1pTHPnu11t8etH

Content-Type: text/plain; charset="iso-8859-1"

Content-Transfer-Encoding: quoted-printable



b1SeBjHoxRe8M b1SeBjHoxRe8M b1SeBjHoxRe8M b1SeBjHoxRe8M

v597u2lhqhukn v597u2lhqhukn v597u2lhqhukn v597u2lhqhukn

elOR7qramkc3 elOR7qramkc3 elOR7qramkc3 elOR7qramkc3

2ehdBNC4DV 2ehdBNC4DV 2ehdBNC4DV 2ehdBNC4DV



--K6aS6sPy1pTHPnu11t8etH

Content-Type: text/html; charset="iso-8859-1"

Content-Transfer-Encoding: quoted-printable








1">










Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" clas=

s=3D"elementToProof">







Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" clas=

s=3D"elementToProof">















--K6aS6sPy1pTHPnu11t8etH--