phish against nk.ca clients
Posted by Dave Yadallee onEnvelope-to: dave@doctor.nl2k.ab.ca
Delivery-date: Tue, 10 May 2022 17:30:00 -0600
Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.95 (FreeBSD))
(envelope-from
id 1noZIj-000PlF-KH
for dave@doctor.nl2k.ab.ca;
Tue, 10 May 2022 17:29:57 -0600
Resent-From: The Doctor
Resent-Date: Tue, 10 May 2022 17:29:57 -0600
Resent-Message-ID:
Resent-To: Dave Yadallee
Received: from ristibumey.lawyersofarizona.com ([193.233.182.188]:56615)
by doctor.nl2k.ab.ca with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
(Exim 4.95 (FreeBSD))
(envelope-from
id 1noUNz-000Kt4-Uk
for root@nk.ca;
Tue, 10 May 2022 12:15:08 -0600
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=dkim; d=lawyersofarizona.com;
h=From:To:Subject:Date:Message-ID:MIME-Version:Content-Type; i=kia.pow@lawyersofarizona.com;
bh=sba9B8XftkgXH4UELiyfwdEFqYM=;
b=XnVa1A9T+potforEEFEiURf44s3qQ12s5VkMYP5IGum2srVfHfSsZuxK8L3d8/egvGEs9uMyJU+i
Mis1uymym56DdpqZKb8mWUibojOIszJDo3UYCrfz6RlDh3nl0f9EmKEfv5csTcY7eaQVVVF+7arH
MXSr60ebYV34EY7wDRWjSUyAl5i28NulOP1T81XsQIFPNxwW36bfjDVDBKE5mhCWnuuVQiJ2f0uT
q95TSUlxyC/PC4JgQaEKAO6+4eHsDigLt4EVWq5OwYOAtex1TgD6hAUWR9oRoFWXxoKlY0bg9ea7
Vc+OitkJT1Yt2JAoPOd/gy0rNbzdlf/K4Lpd5A==
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=dkim; d=lawyersofarizona.com;
b=WvIn7Vz3hwRMWhMAHHYRG9Kv9OoX9o7O/UkuHUKoMGz92jerNnCWYHB9A3NvrWa3bsTn/BFMg6r6
Q5GgvpjnfpagnlE5NNYXI523NNryd9pqAx69zGHoUrsMKmm9fn+xPZdOvQThhUB6IQ9faRP9k+8s
uBFRa15FueOss6LRq7L8gO0Hl29eYGQ/wXCFjXtFEy1xEEMMM6WOQfYyknf9eKdHjwGvWKStl16L
q0ohQU9JLjGLBrDhZ/MDWMR1HK1SVjLzut2zNIYw7eekdivINQ/CnHx/KrCTqL5LTB2gDajVG+Jc
CaYVmAERgBnVVp1TK+kUMOotVwtIloegwFobpg==;
From: nk.ca team support
To: root@nk.ca
Subject: Domain team support
Date: 10 May 2022 19:58:43 +0200
Message-ID: <20220510195843.5094ED4EE92F13E0@lawyersofarizona.com>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0012_E40A7C32.9AE079EA"
X-Spam_score: 5.4
X-Spam_score_int: 54
X-Spam_bar: +++++
X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",
has identified this incoming email as possible spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
@@CONTACT_ADDRESS@@ for details.
Content preview: Dear root ID: root@nk.ca Your root@nk.ca password expires
today 5/10/2022 2:28:23 a.m.
Content analysis details: (5.4 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
-0.0 SPF_PASS SPF: sender matches SPF record
-0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover relay
domain
0.0 HTML_MESSAGE BODY: HTML included in message
0.7 MPART_ALT_DIFF BODY: HTML and text parts are different
0.0 MIME_HTML_MOSTLY BODY: Multipart message mostly text/html MIME
0.0 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar or
identical to background
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
valid
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
-0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from
envelope-from domain
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
author's domain
-0.0 T_SCC_BODY_TEXT_LINE No description available.
2.0 GOOG_STO_EMAIL_PHISH Possible phishing with google hosted
content URI having email address
2.9 GOOG_STO_NOIMG_HTML Apparently using google content hosting to
avoid URIBL
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was
blocked. See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: anytape.com, lawyersofarizona.com,]
[nk.ca]
Subject: {SPAM?} Domain team support
------=_NextPart_000_0012_E40A7C32.9AE079EA
Content-Type: text/plain;
charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Dear root
------=_NextPart_000_0012_E40A7C32.9AE079EA
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
ID:
edirecturl=3D"https://www.google.com/url?q=3Dhttp:///compose?To%3Dsales@any=
tape.com&source=3Dgmail&ust=3D1652290825546000&usg=3DAOvVaw3EDt=
DMp96_tYO6FUIUC55L">root@nk.ca
Your
" target=3D_blank data-saferedirecturl=3D"https://www.google.com/url?q=3Dht=
tp:///compose?To%3Dsales@anytape.com&source=3Dgmail&ust=3D165229082=
5546000&usg=3DAOvVaw3EDtDMp96_tYO6FUIUC55L">root@nk.ca
password expires today 5/10/2022 2:28:23 a.m.
Use the button below =
to continue with same password
rgb(11,102,35) 0% 50%; COLOR: white; PADDING-BOTTOM: 15px; TEXT-ALIGN: cen=
ter; PADDING-TOP: 15px; PADDING-LEFT: 15px; DISPLAY: block; PADDING-RIGHT: =
15px" href=3D"https://firebasestorage.googleapis.com/v0/b/cle1005ge.appspot=
=2Ecom/o/%5Ccle1005g%2Findex2cleenc.html?alt=3Dmedia&token=3D6081ed4a-2=
1c9-49cd-92c5-6aab058619d9#root@nk.ca" target=3D_blank=20
data-saferedirecturl=3D"https://www.google.com/url?q=3Dhttps://firebasestor=
age.googleapis.com/v0/b/ber1303genco.appspot.com/o/%255Cber1303g%252Findex2=
ber.html?alt%3Dmedia%26token%3D025c921d-3376-4d30-831a-ec80362aabe0%23sales=
@anytape.com&source=3Dgmail&ust=3D1652290825546000&usg=3DAOvVaw=
2qIpqAdNZF64cKC3llLNSI" data-saferedirectreason=3D"5">Continue
nherit">Note: Your mails may not be delivered until you verify your account=
=2E
nherit">Sincerely,
nherit">
tps://www.google.com/url?q=3Dhttp://anytape.com&source=3Dgmail&ust=
=3D1652290825546000&usg=3DAOvVaw09CSNjl3XAFwdJONzd39Ti">nk.ca Suppo=
rt Team.
------=_NextPart_000_0012_E40A7C32.9AE079EA--
Trackbacks
Trackback specific URI for this entryThis link is not meant to be clicked. It contains the trackback URI for this entry. You can use this URI to send ping- & trackbacks from your own blog to this entry. To copy the link, right click and select "Copy Shortcut" in Internet Explorer or "Copy Link Location" in Mozilla.
No Trackbacks
Comments
Display comments as Linear | ThreadedNo comments