Shoppers Drug Mart phish from Microsoft Outlook
Posted by Dave Yadallee on
Return-path:
Envelope-to: dave@doctor.nl2k.ab.ca
Delivery-date: Sun, 10 Mar 2024 17:25:00 -0600
Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.97.1 (FreeBSD))
(envelope-from)
id 1rjSXA-00000000DQk-2Qjy
for dave@doctor.nl2k.ab.ca;
Sun, 10 Mar 2024 17:24:48 -0600
Resent-From: The Doctor
Resent-Date: Sun, 10 Mar 2024 17:24:48 -0600
Resent-Message-ID:
Resent-To: Dave Yadallee
Received: from mail-dm6nam10hn2219.outbound.protection.outlook.com ([52.100.156.219]:1027 helo=NAM10-DM6-obe.outbound.protection.outlook.com)
by doctor.nl2k.ab.ca with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
(Exim 4.97.1 (FreeBSD))
(envelope-from)
id 1rjRPO-000000008gI-3kIT
for root@nk.ca;
Sun, 10 Mar 2024 16:12:47 -0600
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=LePp4lEOOFUf/CUPPOHQnYYDprT8WJOfBbE3vgZOqjlLkDJYaD1tRPI6jF7LxefFU4osn8S4d8s2jFl3Ux8Id0EccFdploz3ctjDX0ZeFB7ZLncx7OyZkGgq/eNzncCOgJ27HaqGDi8lxLiNQyORu2gU/btTHFJ37qVwXG8ByRogo20lVDvz/0VvgYVLDwfxnCwNHwwFnyx2PlKhdgwegN1xdHY2JTwGE6Ua7111sB1E0ggUW3Gj85wCJqbLS0L7OCUPzIKFYnyF7c2PXWZWb3moHyRCqU1s29X6ZprZkSIKxACw+nAJABpSwTEQGvQJ8uidWG2ptnzNdO+gI9TBIw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=yoPGfpTm6IB1dcNzV99lHNQb8ojsEBH6bEALAi5pws0=;
b=FMjKyNybRGgTo+WB+DpgC3fL5iyi4Ll/Cil2NME/Vq9xYpTGlE8Ln3L31zUSE6rlZIIDgGEiqnKnGowK84ILMl4n62p+KnEF1HpEjkVpkM206MdPUP114JeRY0q9eAJGZrG/VcqfKreWs5c/x0Pz1o4QUKkB2G/Smxf8yYK9nCie3hvy3Ub+ZdgnxG8ff8JWGKpACmcdEheoNAwwjreRRenUL8B+9BL+dHWo0mDkjlPWMzyt+aSNuLBn+HC76bwj5wZMR+yWWnQbczQE751DYe8U2fSKK21pIdG6epWEmNH8+Q7arcTk2rLWmnZr94vTGyoUG82SvfRZyNg5y73e3Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=fail (sender ip is
172.233.57.211) smtp.rcpttodomain=nk.ca
smtp.mailfrom=xonwktb.onmicrosoft.com; dmarc=none action=none
header.from=xonwktb.onmicrosoft.com; dkim=none (message not signed); arc=none
(0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=ringwoodchristian.onmicrosoft.com;
s=selector1-ringwoodchristian-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=yoPGfpTm6IB1dcNzV99lHNQb8ojsEBH6bEALAi5pws0=;
b=XUY3adg2VJKaI/Ar4dwxzV4HF6yk36DuKIkZy0flnLCDqn1S2c/+rtWrc+kG6AdcKx5wu44M5S1stnfGXis7tfy5Q7+ntoi1NJJ55IHJB5g9cw9dOA2Jdirqw6IM2KDfRh1afAkJde7fhvEcjcLZZ/xyWtSA285cu4sHZRO+bp4=
X-MS-Exchange-Authentication-Results: spf=fail (sender IP is 172.233.57.211)
smtp.mailfrom=xonwktb.onmicrosoft.com; dkim=none (message not signed)
header.d=none;dmarc=none action=none header.from=xonwktb.onmicrosoft.com;
Thread-Topic: YOU'VE - RECEIVED - A - REWARDS ..kr3
Date: Sun, 10 Mar 2379 17:42:44 +0000
References: <441269923864.3.tpo32qp2t42akde2@mg-wyvganbb.wmypyfym.onmicrosoft.com>
X-MS-Has-Attach:
Authentication-Results-Original: dkim=pass (message not signed) header.d=pass;dmarc=bestguess action=bestguess header.from=xonwktb.onmicrosoft.com;
X-Forefront-Antispam-Report-Untrusted:
CIP:40.107.15.157;CTRY:IE;LANG:en;SCL:-1;SRV:;IPV:NLI;SFV:SKN;H:EUR01-E3W-obe.outbound.protection.outlook.com;PTR:mail-db5eur01on5594.outbound.protection.outlook.com;CAT:NONE;SFS:;DIR:INB;
Content-Language: en-US
MIME-Version: 1.0
X-MS-TNEF-Correlator:
In-Reply-To: <441269923864.3.tpo32qp2t42akde2@mg-wyvganbb.wmypyfym.onmicrosoft.com>
Subject: YOU'VE - RECEIVED - A - REWARDS..wZ0
msip_labels:
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:AM0PR08N56KGB.eurprd04.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230031)(41320700004)(376005)(1800799015)(38070700009);DIR:OUT;SFP:1102;
x-ms-traffictypediagnostic:
AM0PR08N56KGB:EE_|AM0PR0NGW9171:EE_|SG1PEPF0000NGW9:EE_|TYZPR0NGW9336:EE_|TYZPR0NGW9405:EE_|DS1PEPF00017098:EE_|MW4PR15MB4524:EE_
X-MS-Office365-Filtering-Correlation-Id: 84496528-4025-4227-f5f1-08dc414eeaad
Thread-Index: WU9VJ1ZFIC0gUkVDRUlWRUQgLSBBIC0gUkVXQVJEUy4uUmND
Content-Type: multipart/alternative; boundary="_000_AM0PR08N56KGBFXBP9QBZLU1MTYV2PWI85I5KNJRIK658N56KGBeurp_"
From: Drug Mart
Accept-Language: fr-FR, en-US
Message-ID:
To: "root@nk.ca"
X-EOPAttributedMessage: 0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id-Prvs:
2a8960b8-4990-9608-rxev-8hospoj70zoy
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info:
=?iso-8859-1?Q?xhPe9D05zoDTqvO6O/FNMRo6OzbwZx6LPOV82SmGnWFYrgPYx7QTetUboF?=
=?iso-8859-1?Q?VVJRdoIyMYqXTgye37acRpnMcfxBY5NcDgbfcy36d0EEELeXOY31TwoTjI?=
=?iso-8859-1?Q?kj00aIGxfQHdJhkZHZ/peJl96/ObwOfKAjyUNY0J6PDSmmj8YNW/i4tKZR?=
=?iso-8859-1?Q?2/XVmjF6ybCwOzbRR+PZFED3pK/1q/ibron4hf2hud3bv+wn7ytRYWmW73?=
=?iso-8859-1?Q?2WGozEz2LnwicVjuZkPnitkglm/tcuhFOrSNVRVUqYdlJCubrqWRcG65An?=
=?iso-8859-1?Q?NdIbF1ISD4plVEl5M2yJ0lI/tdzB43h1p62oKl0ox9rqiBOtVhvhxCHcWY?=
=?iso-8859-1?Q?luYzd7irLGsP1Sj8mwEeu0vicXd/shmLHzTCZZNm8945qZOWr+ZsGthcOk?=
=?iso-8859-1?Q?bkn2d8Hmhtc6ZNnFhNSkPYzmnZeYiF79pjMy0uZnx9gqbe9TLdG4aKo/oC?=
=?iso-8859-1?Q?oDtbMWNHV5bBAMpx4mTA+qIU8LebsfMgkrIIc6zaP+zQoTFQkHIJaMzuqB?=
=?iso-8859-1?Q?2bDJUCnqQwDee46RVViaq7dqX5uX6QpZhqGHEGCouOvkuntgZP5crnkFkH?=
=?iso-8859-1?Q?oSzPwkKfjQcRCe8ygbd/ssYfeLcP0EesnAj9PCP/ZdrxVcXJXEKKxlknX3?=
=?iso-8859-1?Q?pr4Xyjs6mnjKgTXO+ebnZYLiPWhWhRlPCaWxR8B99qgXbNwxYku9FDee2B?=
=?iso-8859-1?Q?FW1oKZdrICt78LG5Xorqm2L0G/zVCkvVuJ50WY0wUroM/pOwy+q5Nr/mKr?=
=?iso-8859-1?Q?jQGOM043LgeVPxo5TYoNa9YqeiBMhvVpgTh7AjdfUILV2SR2iNPmVXZJ5B?=
=?iso-8859-1?Q?aIg6KmjBg5HVOS4N5frH8IPqejyuBGJ5VIWTSfGjjtjuvQLdPfAYA0GPu3?=
=?iso-8859-1?Q?JxKWXG41xxEVtokljBt1EznhHe0/fJBA1Af6ZWqpkY6EbaPwsowOwT9o5r?=
=?iso-8859-1?Q?RnXRnyXvtUSqHSWAzjtYdhIHYqCxcMO9+8C6iB977CukqXWR6sPWLw=3D?=
=?iso-8859-1?Q?=3D?=
X-Forefront-Antispam-Report:
CIP:172.233.57.211;CTRY:NL;LANG:en;SCL:7;SRV:;IPV:NLI;SFV:SPM;H:xonwktb.onmicrosoft.com;PTR:172-233-57-211.ip.linodeusercontent.com;CAT:OSPM;SFS:(13230031)(82310400014)(376005)(34020700007)(36860700004)(61400799018)(41320700004)(15519875007);DIR:OUT;SFP:1501;
X-OriginatorOrg: xonwktb.onmicrosoft.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 10 Mar 2024 22:10:37.7791
(UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 84496528-4025-4227-f5f1-08dc414eeaad
X-MS-Exchange-CrossTenant-Id: c7dac945-6627-4d40-864c-5b820e920e9e
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=c7dac945-6627-4d40-864c-5b820e920e9e;Ip=[172.233.57.211];Helo=[xonwktb.onmicrosoft.com]
X-MS-Exchange-CrossTenant-AuthSource:
DS1PEPF00017098.namprd05.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW4PR15MB4524
X-Spam_score: 8.1
X-Spam_score_int: 81
X-Spam_bar: ++++++++
X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",
has identified this incoming email as possible spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
@@CONTACT_ADDRESS@@ for details.
Content preview: [https://dehyddtptktslznup.blob.core.windows.net/dehyddtptktslznup/1.png?BM1nu1tqSoJg0TXYrNe]
[//dehyddtptktslznup.blob.core.windows.net/dehyddtptktslznup/1.png?St1f7X528ZUqATxLxCE]
Content analysis details: (8.1 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no
trust
[52.100.156.219 listed in list.dnswl.org]
-0.2 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2)
[52.100.156.219 listed in wl.mailspike.net]
-0.0 SPF_PASS SPF: sender matches SPF record
-0.0 SPF_HELO_PASS SPF: HELO matches SPF record
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
0.0 ARC_VALID Message has a valid ARC signature
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid
0.0 ARC_SIGNED Message has a ARC signature
0.0 AXB_X_FF_SEZ_S Forefront sez this is spam
0.0 T_DATE_IN_FUTURE_Q_PLUS Date: is over 4 months after Received: date
0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider
[abamicm.root-1typ3tp(at)xonwktb.onmicrosoft.com]
2.5 DATE_IN_FUTURE_Q_PLUS Date: is over 4 months after Received: date
0.1 TW_XV BODY: Odd Letter Triples with XV
0.1 TW_TP BODY: Odd Letter Triples with TP
0.1 TW_IF BODY: Odd Letter Triples with IF
0.1 TW_MH BODY: Odd Letter Triples with MH
0.1 TW_BK BODY: Odd Letter Triples with BK
0.1 TW_HQ BODY: Odd Letter Triples with HQ
0.1 TW_KL BODY: Odd Letter Triples with KL
0.1 TW_KB BODY: Odd Letter Triples with KB
0.1 TW_TW BODY: Odd Letter Triples with TW
0.1 TW_KK BODY: Odd Letter Triples with KK
0.1 TW_FQ BODY: Odd Letter Triples with FQ
0.1 TW_QD BODY: Odd Letter Triples with QD
0.1 TW_FJ BODY: Odd Letter Triples with FJ
0.1 TW_QX BODY: Odd Letter Triples with QX
0.1 TW_WX BODY: Odd Letter Triples with WX
0.1 TW_AQ BODY: Odd Letter Triples with AQ
0.1 TW_HH BODY: Odd Letter Triples with HH
0.1 TW_JH BODY: Odd Letter Triples with JH
0.1 TW_QW BODY: Odd Letter Triples with QW
0.1 TW_HX BODY: Odd Letter Triples with HX
0.1 TW_HM BODY: Odd Letter Triples with HM
0.1 TW_BH BODY: Odd Letter Triples with BH
0.1 TW_UY BODY: Odd Letter Triples with UY
0.5 URI_NOVOWEL URI: URI hostname has long non-vowel sequence
1.3 HTML_IMAGE_ONLY_24 BODY: HTML: images with 2000-2400 bytes of words
0.0 HTML_MESSAGE BODY: HTML included in message
0.7 MPART_ALT_DIFF BODY: HTML and text parts are different
1.5 URI_IMG_CWINDOWSNET Non-MSFT image hosted by Microsoft Azure infra,
possible phishing
-0.0 T_SCC_BODY_TEXT_LINE No description available.
0.0 T_STY_INVIS_DIRECT HTML hidden text + direct-to-MX
Subject: {SPAM?} YOU'VE - RECEIVED - A - REWARDS..wZ0
--_000_AM0PR08N56KGBFXBP9QBZLU1MTYV2PWI85I5KNJRIK658N56KGBeurp_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
[https://dehyddtptktslznup.blob.core.windows.net/dehyddtptktslznup/1.png?BM=
1nu1tqSoJg0TXYrNe] [//dehyddtptktslznup.blob.core.windows.net/dehyddtptktsl=
znup/1.png?St1f7X528ZUqATxLxCE]
s.net/dehyddtptktslznup/1.html#15/117-4972/926-183975-11612->
[https://dehyddtptktslznup.blob.core.windows.net/dehyddtptktslznup/2.png?75=
tjAgAh8XLcpgkmN5t] [//dehyddtptktslznup.blob.core.windows.net/dehyddtptktsl=
znup/2.png?bkf103CKFJTtqeyaQVM]
s.net/dehyddtptktslznup/2.html?sWL3AKPRvlldp4vohKO>
vik6IKcckyVuy UgWsoQOEt6PGT AI5zbhmhmKaEb q5TPY4rVN8nilbIfaNofUciR1L =
w3XGoaISb7Skt 7mDXN1LifwAcZ 0h1tpbi8lAqMo
JjKC58x6cx2B3 7AUh8MPDWNxtt 1CdeGbc7SsBnA rxug8YuHAoAnQcVwY6IlWZfi8E =
j8LZnRIILas4u oA20ZRWYSKl75 OGl5MOE2b4P9V
PvVOSPvGSfwCu qTyn9oMUN9qZk PYubwBeu0suLi bZMsqehr6lubNvGIzCk7HDmldn =
S7Wu22AhMVlQ8 lSGINzM0wsUwU 0RC6mhWtiZuc4
Xt9ZpJdVLUhgA 0jHls2fqxshxb YZEVkkbhas5ba SXvLgxseO2isNOHFqTey5CpK1u =
Qnk5ldzaGvWQl tAQqYEc2gTp1p xaeT9E6tRdBF4
ZWxjERuE9V56s FhjhqdvCFWU72 g9E31pmo9FXiE V4A7X1jpnhX4KuvVwYDuqyMnzP =
RsoormeNmMoq4 PkCObpRPwoXLy O1En8m58X4OYt
yY7sE0JMKwTW3 u2LW13JSaau7y nKalcDAnQiFcb qvlJtFmstOl3GKooR4o8o3u4Pc =
9slrcJTugt7gv n5IG7Ge4TsyU7 ZqMFIrUtDW4Zz
AZ0jNGMR5uo1H IecXFdhlIy3RD zAp1UTAMIoBdZ TN1KCu4OPnwITDqL8DQzKv2io0 =
1hNk4BAr9vkNr zcBoXBnvVjx3N f9Ry8SqwxvsTI
COGebMWBV5TeG 1mW976emDiDpM o84CmHH9ioSZC getD5NCKeePjVWD4KrzZDQyKmC =
u0g2ErOkWboma eygWhnuQduEj8 JKuLHw9fD2IiX
W6Y935vVV31lI MG5VAFjenylg5 ZxQ1mx3bkqMbs ZftS5qiDrQe5CcCtREfrk8EuPB =
GdqYB4mDAv5LU iY6ifIBHkrM7e SFKVDUQEZj3YS
Q9QlcMhxRLOts AbpTrRJNUW4Bp qzFRTYxFiCmWN 3hKxee3DeXKdIe780TxrcdTwT6 =
JEfjgE7GLF0LK 5GUJFSJ6YDLRk qSGXiSb1FIpFI
rrsOYSYjGPmK3 NGuM9qRkt5eIB 8Z7YdMDhzNz6C uyNvBIwY7Dk4KOjH7OR3b1Wfbu =
dgBlBqK8l2vBj GcsTp4Het0XqG hhhkltdBanoSh
W6pl2sW8N3Xep 8vEgSxMgcNJCE whTOmEKp7eVZE 6vy5CUCkz7HEsIsnHjVsWJ6Wrb =
5OUZLR4D6hn2d Q3K4f1GONMRtG c9KZJE94TkVp1
KEOteJGArQH6d 3MK5c6AgPzJcO 0YaoOKMmB6hlf 212d0XFx5DumRt3CgrnUveEKlg =
VVttOLK9F1vwM jWSwP7wsjENqz uVwJgvFuCK3Pt
kBbwY9JRICxDZ 2XWAzd7cY6vmr RtzhuzNaEpjaM DP97tkbs4bOg60UFrEc4ukvCjq =
itwfejBDvtOPA YICYj7c2UMctw TYqAcWm0JN1cr
1mpg1TFGd9VMR IYCuyyBYDYaH1 8rLC6h3Bl3XZK 8L75DsBqIuS8Xxs5SfALPWUvIQ =
uJKnYl2f5JosM WNeWLcsd0KtRu Zaqy7qYpOvimA
--_000_AM0PR08N56KGBFXBP9QBZLU1MTYV2PWI85I5KNJRIK658N56KGBeurp_
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
--_000_AM0PR08N56KGBFXBP9QBZLU1MTYV2PWI85I5KNJRIK658N56KGBeurp_--
Envelope-to: dave@doctor.nl2k.ab.ca
Delivery-date: Sun, 10 Mar 2024 17:25:00 -0600
Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.97.1 (FreeBSD))
(envelope-from
id 1rjSXA-00000000DQk-2Qjy
for dave@doctor.nl2k.ab.ca;
Sun, 10 Mar 2024 17:24:48 -0600
Resent-From: The Doctor
Resent-Date: Sun, 10 Mar 2024 17:24:48 -0600
Resent-Message-ID:
Resent-To: Dave Yadallee
Received: from mail-dm6nam10hn2219.outbound.protection.outlook.com ([52.100.156.219]:1027 helo=NAM10-DM6-obe.outbound.protection.outlook.com)
by doctor.nl2k.ab.ca with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
(Exim 4.97.1 (FreeBSD))
(envelope-from
id 1rjRPO-000000008gI-3kIT
for root@nk.ca;
Sun, 10 Mar 2024 16:12:47 -0600
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=LePp4lEOOFUf/CUPPOHQnYYDprT8WJOfBbE3vgZOqjlLkDJYaD1tRPI6jF7LxefFU4osn8S4d8s2jFl3Ux8Id0EccFdploz3ctjDX0ZeFB7ZLncx7OyZkGgq/eNzncCOgJ27HaqGDi8lxLiNQyORu2gU/btTHFJ37qVwXG8ByRogo20lVDvz/0VvgYVLDwfxnCwNHwwFnyx2PlKhdgwegN1xdHY2JTwGE6Ua7111sB1E0ggUW3Gj85wCJqbLS0L7OCUPzIKFYnyF7c2PXWZWb3moHyRCqU1s29X6ZprZkSIKxACw+nAJABpSwTEQGvQJ8uidWG2ptnzNdO+gI9TBIw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=yoPGfpTm6IB1dcNzV99lHNQb8ojsEBH6bEALAi5pws0=;
b=FMjKyNybRGgTo+WB+DpgC3fL5iyi4Ll/Cil2NME/Vq9xYpTGlE8Ln3L31zUSE6rlZIIDgGEiqnKnGowK84ILMl4n62p+KnEF1HpEjkVpkM206MdPUP114JeRY0q9eAJGZrG/VcqfKreWs5c/x0Pz1o4QUKkB2G/Smxf8yYK9nCie3hvy3Ub+ZdgnxG8ff8JWGKpACmcdEheoNAwwjreRRenUL8B+9BL+dHWo0mDkjlPWMzyt+aSNuLBn+HC76bwj5wZMR+yWWnQbczQE751DYe8U2fSKK21pIdG6epWEmNH8+Q7arcTk2rLWmnZr94vTGyoUG82SvfRZyNg5y73e3Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=fail (sender ip is
172.233.57.211) smtp.rcpttodomain=nk.ca
smtp.mailfrom=xonwktb.onmicrosoft.com; dmarc=none action=none
header.from=xonwktb.onmicrosoft.com; dkim=none (message not signed); arc=none
(0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=ringwoodchristian.onmicrosoft.com;
s=selector1-ringwoodchristian-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=yoPGfpTm6IB1dcNzV99lHNQb8ojsEBH6bEALAi5pws0=;
b=XUY3adg2VJKaI/Ar4dwxzV4HF6yk36DuKIkZy0flnLCDqn1S2c/+rtWrc+kG6AdcKx5wu44M5S1stnfGXis7tfy5Q7+ntoi1NJJ55IHJB5g9cw9dOA2Jdirqw6IM2KDfRh1afAkJde7fhvEcjcLZZ/xyWtSA285cu4sHZRO+bp4=
X-MS-Exchange-Authentication-Results: spf=fail (sender IP is 172.233.57.211)
smtp.mailfrom=xonwktb.onmicrosoft.com; dkim=none (message not signed)
header.d=none;dmarc=none action=none header.from=xonwktb.onmicrosoft.com;
Thread-Topic: YOU'VE - RECEIVED - A - REWARDS ..kr3
Date: Sun, 10 Mar 2379 17:42:44 +0000
References: <441269923864.3.tpo32qp2t42akde2@mg-wyvganbb.wmypyfym.onmicrosoft.com>
X-MS-Has-Attach:
Authentication-Results-Original: dkim=pass (message not signed) header.d=pass;dmarc=bestguess action=bestguess header.from=xonwktb.onmicrosoft.com;
X-Forefront-Antispam-Report-Untrusted:
CIP:40.107.15.157;CTRY:IE;LANG:en;SCL:-1;SRV:;IPV:NLI;SFV:SKN;H:EUR01-E3W-obe.outbound.protection.outlook.com;PTR:mail-db5eur01on5594.outbound.protection.outlook.com;CAT:NONE;SFS:;DIR:INB;
Content-Language: en-US
MIME-Version: 1.0
X-MS-TNEF-Correlator:
In-Reply-To: <441269923864.3.tpo32qp2t42akde2@mg-wyvganbb.wmypyfym.onmicrosoft.com>
Subject: YOU'VE - RECEIVED - A - REWARDS..wZ0
msip_labels:
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:AM0PR08N56KGB.eurprd04.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230031)(41320700004)(376005)(1800799015)(38070700009);DIR:OUT;SFP:1102;
x-ms-traffictypediagnostic:
AM0PR08N56KGB:EE_|AM0PR0NGW9171:EE_|SG1PEPF0000NGW9:EE_|TYZPR0NGW9336:EE_|TYZPR0NGW9405:EE_|DS1PEPF00017098:EE_|MW4PR15MB4524:EE_
X-MS-Office365-Filtering-Correlation-Id: 84496528-4025-4227-f5f1-08dc414eeaad
Thread-Index: WU9VJ1ZFIC0gUkVDRUlWRUQgLSBBIC0gUkVXQVJEUy4uUmND
Content-Type: multipart/alternative; boundary="_000_AM0PR08N56KGBFXBP9QBZLU1MTYV2PWI85I5KNJRIK658N56KGBeurp_"
From: Drug Mart
Accept-Language: fr-FR, en-US
Message-ID:
To: "root@nk.ca"
X-EOPAttributedMessage: 0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id-Prvs:
2a8960b8-4990-9608-rxev-8hospoj70zoy
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info:
=?iso-8859-1?Q?xhPe9D05zoDTqvO6O/FNMRo6OzbwZx6LPOV82SmGnWFYrgPYx7QTetUboF?=
=?iso-8859-1?Q?VVJRdoIyMYqXTgye37acRpnMcfxBY5NcDgbfcy36d0EEELeXOY31TwoTjI?=
=?iso-8859-1?Q?kj00aIGxfQHdJhkZHZ/peJl96/ObwOfKAjyUNY0J6PDSmmj8YNW/i4tKZR?=
=?iso-8859-1?Q?2/XVmjF6ybCwOzbRR+PZFED3pK/1q/ibron4hf2hud3bv+wn7ytRYWmW73?=
=?iso-8859-1?Q?2WGozEz2LnwicVjuZkPnitkglm/tcuhFOrSNVRVUqYdlJCubrqWRcG65An?=
=?iso-8859-1?Q?NdIbF1ISD4plVEl5M2yJ0lI/tdzB43h1p62oKl0ox9rqiBOtVhvhxCHcWY?=
=?iso-8859-1?Q?luYzd7irLGsP1Sj8mwEeu0vicXd/shmLHzTCZZNm8945qZOWr+ZsGthcOk?=
=?iso-8859-1?Q?bkn2d8Hmhtc6ZNnFhNSkPYzmnZeYiF79pjMy0uZnx9gqbe9TLdG4aKo/oC?=
=?iso-8859-1?Q?oDtbMWNHV5bBAMpx4mTA+qIU8LebsfMgkrIIc6zaP+zQoTFQkHIJaMzuqB?=
=?iso-8859-1?Q?2bDJUCnqQwDee46RVViaq7dqX5uX6QpZhqGHEGCouOvkuntgZP5crnkFkH?=
=?iso-8859-1?Q?oSzPwkKfjQcRCe8ygbd/ssYfeLcP0EesnAj9PCP/ZdrxVcXJXEKKxlknX3?=
=?iso-8859-1?Q?pr4Xyjs6mnjKgTXO+ebnZYLiPWhWhRlPCaWxR8B99qgXbNwxYku9FDee2B?=
=?iso-8859-1?Q?FW1oKZdrICt78LG5Xorqm2L0G/zVCkvVuJ50WY0wUroM/pOwy+q5Nr/mKr?=
=?iso-8859-1?Q?jQGOM043LgeVPxo5TYoNa9YqeiBMhvVpgTh7AjdfUILV2SR2iNPmVXZJ5B?=
=?iso-8859-1?Q?aIg6KmjBg5HVOS4N5frH8IPqejyuBGJ5VIWTSfGjjtjuvQLdPfAYA0GPu3?=
=?iso-8859-1?Q?JxKWXG41xxEVtokljBt1EznhHe0/fJBA1Af6ZWqpkY6EbaPwsowOwT9o5r?=
=?iso-8859-1?Q?RnXRnyXvtUSqHSWAzjtYdhIHYqCxcMO9+8C6iB977CukqXWR6sPWLw=3D?=
=?iso-8859-1?Q?=3D?=
X-Forefront-Antispam-Report:
CIP:172.233.57.211;CTRY:NL;LANG:en;SCL:7;SRV:;IPV:NLI;SFV:SPM;H:xonwktb.onmicrosoft.com;PTR:172-233-57-211.ip.linodeusercontent.com;CAT:OSPM;SFS:(13230031)(82310400014)(376005)(34020700007)(36860700004)(61400799018)(41320700004)(15519875007);DIR:OUT;SFP:1501;
X-OriginatorOrg: xonwktb.onmicrosoft.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 10 Mar 2024 22:10:37.7791
(UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 84496528-4025-4227-f5f1-08dc414eeaad
X-MS-Exchange-CrossTenant-Id: c7dac945-6627-4d40-864c-5b820e920e9e
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=c7dac945-6627-4d40-864c-5b820e920e9e;Ip=[172.233.57.211];Helo=[xonwktb.onmicrosoft.com]
X-MS-Exchange-CrossTenant-AuthSource:
DS1PEPF00017098.namprd05.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW4PR15MB4524
X-Spam_score: 8.1
X-Spam_score_int: 81
X-Spam_bar: ++++++++
X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",
has identified this incoming email as possible spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
@@CONTACT_ADDRESS@@ for details.
Content preview: [https://dehyddtptktslznup.blob.core.windows.net/dehyddtptktslznup/1.png?BM1nu1tqSoJg0TXYrNe]
[//dehyddtptktslznup.blob.core.windows.net/dehyddtptktslznup/1.png?St1f7X528ZUqATxLxCE]
Content analysis details: (8.1 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no
trust
[52.100.156.219 listed in list.dnswl.org]
-0.2 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2)
[52.100.156.219 listed in wl.mailspike.net]
-0.0 SPF_PASS SPF: sender matches SPF record
-0.0 SPF_HELO_PASS SPF: HELO matches SPF record
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
0.0 ARC_VALID Message has a valid ARC signature
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid
0.0 ARC_SIGNED Message has a ARC signature
0.0 AXB_X_FF_SEZ_S Forefront sez this is spam
0.0 T_DATE_IN_FUTURE_Q_PLUS Date: is over 4 months after Received: date
0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider
[abamicm.root-1typ3tp(at)xonwktb.onmicrosoft.com]
2.5 DATE_IN_FUTURE_Q_PLUS Date: is over 4 months after Received: date
0.1 TW_XV BODY: Odd Letter Triples with XV
0.1 TW_TP BODY: Odd Letter Triples with TP
0.1 TW_IF BODY: Odd Letter Triples with IF
0.1 TW_MH BODY: Odd Letter Triples with MH
0.1 TW_BK BODY: Odd Letter Triples with BK
0.1 TW_HQ BODY: Odd Letter Triples with HQ
0.1 TW_KL BODY: Odd Letter Triples with KL
0.1 TW_KB BODY: Odd Letter Triples with KB
0.1 TW_TW BODY: Odd Letter Triples with TW
0.1 TW_KK BODY: Odd Letter Triples with KK
0.1 TW_FQ BODY: Odd Letter Triples with FQ
0.1 TW_QD BODY: Odd Letter Triples with QD
0.1 TW_FJ BODY: Odd Letter Triples with FJ
0.1 TW_QX BODY: Odd Letter Triples with QX
0.1 TW_WX BODY: Odd Letter Triples with WX
0.1 TW_AQ BODY: Odd Letter Triples with AQ
0.1 TW_HH BODY: Odd Letter Triples with HH
0.1 TW_JH BODY: Odd Letter Triples with JH
0.1 TW_QW BODY: Odd Letter Triples with QW
0.1 TW_HX BODY: Odd Letter Triples with HX
0.1 TW_HM BODY: Odd Letter Triples with HM
0.1 TW_BH BODY: Odd Letter Triples with BH
0.1 TW_UY BODY: Odd Letter Triples with UY
0.5 URI_NOVOWEL URI: URI hostname has long non-vowel sequence
1.3 HTML_IMAGE_ONLY_24 BODY: HTML: images with 2000-2400 bytes of words
0.0 HTML_MESSAGE BODY: HTML included in message
0.7 MPART_ALT_DIFF BODY: HTML and text parts are different
1.5 URI_IMG_CWINDOWSNET Non-MSFT image hosted by Microsoft Azure infra,
possible phishing
-0.0 T_SCC_BODY_TEXT_LINE No description available.
0.0 T_STY_INVIS_DIRECT HTML hidden text + direct-to-MX
Subject: {SPAM?} YOU'VE - RECEIVED - A - REWARDS..wZ0
--_000_AM0PR08N56KGBFXBP9QBZLU1MTYV2PWI85I5KNJRIK658N56KGBeurp_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
[https://dehyddtptktslznup.blob.core.windows.net/dehyddtptktslznup/1.png?BM=
1nu1tqSoJg0TXYrNe] [//dehyddtptktslznup.blob.core.windows.net/dehyddtptktsl=
znup/1.png?St1f7X528ZUqATxLxCE]
s.net/dehyddtptktslznup/1.html#15/117-4972/926-183975-11612->
[https://dehyddtptktslznup.blob.core.windows.net/dehyddtptktslznup/2.png?75=
tjAgAh8XLcpgkmN5t] [//dehyddtptktslznup.blob.core.windows.net/dehyddtptktsl=
znup/2.png?bkf103CKFJTtqeyaQVM]
s.net/dehyddtptktslznup/2.html?sWL3AKPRvlldp4vohKO>
vik6IKcckyVuy UgWsoQOEt6PGT AI5zbhmhmKaEb q5TPY4rVN8nilbIfaNofUciR1L =
w3XGoaISb7Skt 7mDXN1LifwAcZ 0h1tpbi8lAqMo
JjKC58x6cx2B3 7AUh8MPDWNxtt 1CdeGbc7SsBnA rxug8YuHAoAnQcVwY6IlWZfi8E =
j8LZnRIILas4u oA20ZRWYSKl75 OGl5MOE2b4P9V
PvVOSPvGSfwCu qTyn9oMUN9qZk PYubwBeu0suLi bZMsqehr6lubNvGIzCk7HDmldn =
S7Wu22AhMVlQ8 lSGINzM0wsUwU 0RC6mhWtiZuc4
Xt9ZpJdVLUhgA 0jHls2fqxshxb YZEVkkbhas5ba SXvLgxseO2isNOHFqTey5CpK1u =
Qnk5ldzaGvWQl tAQqYEc2gTp1p xaeT9E6tRdBF4
ZWxjERuE9V56s FhjhqdvCFWU72 g9E31pmo9FXiE V4A7X1jpnhX4KuvVwYDuqyMnzP =
RsoormeNmMoq4 PkCObpRPwoXLy O1En8m58X4OYt
yY7sE0JMKwTW3 u2LW13JSaau7y nKalcDAnQiFcb qvlJtFmstOl3GKooR4o8o3u4Pc =
9slrcJTugt7gv n5IG7Ge4TsyU7 ZqMFIrUtDW4Zz
AZ0jNGMR5uo1H IecXFdhlIy3RD zAp1UTAMIoBdZ TN1KCu4OPnwITDqL8DQzKv2io0 =
1hNk4BAr9vkNr zcBoXBnvVjx3N f9Ry8SqwxvsTI
COGebMWBV5TeG 1mW976emDiDpM o84CmHH9ioSZC getD5NCKeePjVWD4KrzZDQyKmC =
u0g2ErOkWboma eygWhnuQduEj8 JKuLHw9fD2IiX
W6Y935vVV31lI MG5VAFjenylg5 ZxQ1mx3bkqMbs ZftS5qiDrQe5CcCtREfrk8EuPB =
GdqYB4mDAv5LU iY6ifIBHkrM7e SFKVDUQEZj3YS
Q9QlcMhxRLOts AbpTrRJNUW4Bp qzFRTYxFiCmWN 3hKxee3DeXKdIe780TxrcdTwT6 =
JEfjgE7GLF0LK 5GUJFSJ6YDLRk qSGXiSb1FIpFI
rrsOYSYjGPmK3 NGuM9qRkt5eIB 8Z7YdMDhzNz6C uyNvBIwY7Dk4KOjH7OR3b1Wfbu =
dgBlBqK8l2vBj GcsTp4Het0XqG hhhkltdBanoSh
W6pl2sW8N3Xep 8vEgSxMgcNJCE whTOmEKp7eVZE 6vy5CUCkz7HEsIsnHjVsWJ6Wrb =
5OUZLR4D6hn2d Q3K4f1GONMRtG c9KZJE94TkVp1
KEOteJGArQH6d 3MK5c6AgPzJcO 0YaoOKMmB6hlf 212d0XFx5DumRt3CgrnUveEKlg =
VVttOLK9F1vwM jWSwP7wsjENqz uVwJgvFuCK3Pt
kBbwY9JRICxDZ 2XWAzd7cY6vmr RtzhuzNaEpjaM DP97tkbs4bOg60UFrEc4ukvCjq =
itwfejBDvtOPA YICYj7c2UMctw TYqAcWm0JN1cr
1mpg1TFGd9VMR IYCuyyBYDYaH1 8rLC6h3Bl3XZK 8L75DsBqIuS8Xxs5SfALPWUvIQ =
uJKnYl2f5JosM WNeWLcsd0KtRu Zaqy7qYpOvimA
--_000_AM0PR08N56KGBFXBP9QBZLU1MTYV2PWI85I5KNJRIK658N56KGBeurp_
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
|
--_000_AM0PR08N56KGBFXBP9QBZLU1MTYV2PWI85I5KNJRIK658N56KGBeurp_--
