Costco Phish from Microsoft Outlook

Posted by Dave Yadallee on
Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Fri, 23 Feb 2024 08:50:00 -0700

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.97.1 (FreeBSD))

(envelope-from )

id 1rdXnw-00000000JKs-28CR

for dave@doctor.nl2k.ab.ca;

Fri, 23 Feb 2024 08:49:40 -0700

Resent-From: The Doctor

Resent-Date: Fri, 23 Feb 2024 08:49:40 -0700

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from mail-bn8nam11on2100.outbound.protection.outlook.com ([40.107.236.100]:58976 helo=NAM11-BN8-obe.outbound.protection.outlook.com)

by doctor.nl2k.ab.ca with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

(Exim 4.97.1 (FreeBSD))

(envelope-from )

id 1rdXIG-00000000I9U-0Idk

for doctor@doctor.nl2k.ab.ca;

Fri, 23 Feb 2024 08:17:00 -0700

ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;

b=bqYbzDqQYK5bTe3690KeDBeB4hQGPSG1byYveNvOG95Brg1LolcaWv2gQwcoNIVdUsX0M4a/B8bX+i1dxC1/y8RBfTDnlsRzT9og5UQnznFaWFMzGgWqlv47iVWdmrGo1UWJmRLHvSwNMoAWo5B70Odf7vDTlFHHIWbNRNZ9V9ce3a3cjuzmAzmCHUgW+ETwgeRG7dMjc/U9qLQyVN86q9y0iyUKwTGqlVxFa+C7ezZb+nBJiLH3oKgPVJeOgz4hqnHmh5tr6P9w/P4YZHcClDv+xamORxaFt1JbNkNOU/wLKg0FRXZ/fM09XfaEWbNSK2muC+jdPNbFvXf244fL9Q==

ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;

s=arcselector9901;

h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;

bh=S8eaq3V4phAAuDayqn5Xna6yDxMW3cnCeVYFluAW/HE=;

b=gj9+50idZD9JrCY58zoq7cj9sutbLC458K19+Cvnl1MEOdsmevPFindGfexejYTlXOcGimj98s5xWN5O7d0BhmQXngpu8FPKlwm2j1aXC36FY40SMilLtWuY3+XX4Ta5Uh8WzYB5BaIy+Jf/5lJrmCWIbv/hzERJ86OBaNBKD2kWgxL2+yFpoGWkUpAii38irJiRBme8yinSi87vOHqsJpP0PWOqqoMN03yji5TNo1TV8uIVql4pdeqvGX0shhcCEsX+yVdX56AqOunAoQmieBa4xW+JxL9IeyXxJb34xtjatSlu/TmzHK8sthqHS0+i6XAAlSs6AdDgVyWCGgcbFQ==

ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=fail (sender ip is

45.91.8.101) smtp.rcpttodomain=doctor.nl2k.ab.ca

smtp.mailfrom=xel4910.onmicrosoft.com; dmarc=none action=none

header.from=xel4910.onmicrosoft.com; dkim=none (message not signed); arc=none

(0)

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;

d=xel4910.onmicrosoft.com; s=selector2-xel4910-onmicrosoft-com;

h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;

bh=S8eaq3V4phAAuDayqn5Xna6yDxMW3cnCeVYFluAW/HE=;

b=E2uLyHbWV6gibeJOIDJ6bZH9IJXgR8+XqeKP0WgZwmzPeVd1qBVdas1OJIQQMDi2iPS0Up12F11lhFx6yKJKQYPgD1+6kNC6cU1xXe4HSICfwfyGIyBS0s83OI8eaHTzi3kTPWA4Edi8oj/5c9bh+qf6BnuiWxxoexKKA/urVxYNCV/XsVTCYYCYN4wwo/F4FoP9NHhmBmrRrMW7dJvLmlJmOAuPViFaPzD7dwLyN6N62HI2vM9rXlZGLqRjMWpTnC3upo/XJRXvKacZj2FPqoCeWDjqzIRAZeF+1zBHkgSj92HkH9S5Vb89LPHgmMaVG053Pp3FZkJ/pRuqK0kq8A==

X-MS-Exchange-Authentication-Results: spf=fail (sender IP is 45.91.8.101)

smtp.mailfrom=xel4910.onmicrosoft.com; dkim=none (message not signed)

header.d=none;dmarc=none action=none header.from=xel4910.onmicrosoft.com;

Subject: Win Big: Complete Our Survey, Claim Your Prize

From: Costco Department

Date: Fri, 23 Feb 2024 15:57:53 +0100

MIME-Version: 1.0

To: doctor

x-priority: 1

Reply-To: Costco Department

Delivered-To: doctor

X-Sender: admin@xel4910.onmicrosoft.com

Content-Type: multipart/alternative; charset="UTF-8";boundary="K6aS6sPy1pTHPnu11t8etH"

Message-ID:

<8265086a-5cf2-4dc4-a443-4c1404d6d84c@SJ5PEPF000001D2.namprd05.prod.outlook.com>

X-EOPAttributedMessage: 0

X-MS-PublicTrafficType: Email

X-MS-TrafficTypeDiagnostic: SJ5PEPF000001D2:EE_|BL1PR18MB4262:EE_

X-MS-Office365-Filtering-Correlation-Id: 97f16cf5-333c-461f-76f5-08dc34822d5d

X-MS-Exchange-SenderADCheck: 1

X-MS-Exchange-AntiSpam-Relay: 0

X-Microsoft-Antispam: BCL:0;

X-Microsoft-Antispam-Message-Info:

WSSTlD/JW24hOAtbcA61Vu7jTM4XEvCNisW7Xui+pfdLX31wgNQ0Bs9gMfsEY/nIo8sAgnnZVBZE/j4CLZ9ol7zE9eE2xJiP6fRU2G73SfwIyzmAJFRSesl1H8kX7b0Z3gDU1gtOgRve12nWwpTojkdkNgKPUytKeFhBO9AI0jTuUNFpZHnmiexlvCw5W4wuVBq7j2yym7pqYMsi4Lxz1rv5w+0Ci7ox3vD8NG35pWJ6uZ7Ire02RA3hqz9oO1Nm2zVd5u5DU7lTfDRUy/Ol/sObsjw78wV2uOdLKTCOMsFTJqn5zpp/R5HzgecWgntZ7fcUjgibH4eeJ3PXI/aobWtq8mIsqfx68SMhs1sjtrb4IEWn+GvzwGszK+yOYqrvAzxqycYGaTFYH+Ml/XNnzg==

X-Forefront-Antispam-Report:

CIP:45.91.8.101;CTRY:RU;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.vizio.com;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230031)(7200799017)(36860700004)(40470700004)(46966006)(85622047);DIR:OUT;SFP:1102;

X-OriginatorOrg: xel4910.onmicrosoft.com

X-MS-Exchange-CrossTenant-OriginalArrivalTime: 23 Feb 2024 15:14:48.7041

(UTC)

X-MS-Exchange-CrossTenant-Network-Message-Id: 97f16cf5-333c-461f-76f5-08dc34822d5d

X-MS-Exchange-CrossTenant-Id: 3757439f-02de-4d3e-a90a-4cc757e20afa

X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=3757439f-02de-4d3e-a90a-4cc757e20afa;Ip=[45.91.8.101];Helo=[mail.vizio.com]

X-MS-Exchange-CrossTenant-AuthSource:

SJ5PEPF000001D2.namprd05.prod.outlook.com

X-MS-Exchange-CrossTenant-AuthAs: Anonymous

X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem

X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL1PR18MB4262

X-Spam_score: 11.5

X-Spam_score_int: 115

X-Spam_bar: +++++++++++

X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original

message has been attached to this so you can view it or label

similar future email. If you have any questions, see

@@CONTACT_ADDRESS@@ for details.



Content preview: b1SeBjHoxRe8M b1SeBjHoxRe8M b1SeBjHoxRe8M b1SeBjHoxRe8M v597u2lhqhukn

v597u2lhqhukn v597u2lhqhukn v597u2lhqhukn elOR7qramkc3 elOR7qramkc3 elOR7qramkc3

elOR7qramkc3 2ehdBNC4DV 2ehdBNC4DV 2ehdBNC4DV 2eh [...]



Content analysis details: (11.5 points, 5.0 required)



pts rule name description

---- ---------------------- --------------------------------------------------

1.9 URIBL_ABUSE_SURBL Contains an URL listed in the ABUSE SURBL blocklist

[URI: utorent.blob.core.windows.net]

-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no

trust

[40.107.236.100 listed in list.dnswl.org]

-0.0 SPF_PASS SPF: sender matches SPF record

-0.0 SPF_HELO_PASS SPF: HELO matches SPF record

-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature

0.0 ARC_VALID Message has a valid ARC signature

0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid

-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's

domain

-0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from

envelope-from domain

0.0 ARC_SIGNED Message has a ARC signature

0.5 FROM_LOCAL_NOVOWEL From: localpart has series of non-vowel letters

1.0 HK_RANDOM_REPLYTO Reply-To username looks random

1.0 HK_RANDOM_FROM From username looks random

-0.2 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2)

[40.107.236.100 listed in wl.mailspike.net]

0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider

[customer-care-kgwpkvfpsstqh(at)xel4910.onmicrosoft.com]

0.1 TW_HQ BODY: Odd Letter Triples with HQ

0.1 TW_QH BODY: Odd Letter Triples with QH

0.1 TW_LH BODY: Odd Letter Triples with LH

0.1 TW_MK BODY: Odd Letter Triples with MK

1.6 HTML_IMAGE_ONLY_12 BODY: HTML: images with 800-1200 bytes of words

0.0 HTML_MESSAGE BODY: HTML included in message

0.7 MPART_ALT_DIFF BODY: HTML and text parts are different

0.0 MIME_QP_LONG_LINE RAW: Quoted-printable line longer than 76 chars

-0.0 T_SCC_BODY_TEXT_LINE No description available.

0.1 HTML_SHORT_LINK_IMG_1 HTML is very short with a linked image

1.0 FREEMAIL_REPLYTO Reply-To/From or Reply-To/body contain different

freemails

1.0 XPRIO Has X-Priority header

2.7 SCC_BODY_URI_ONLY Very short body with something maybe clickable

0.0 T_STY_INVIS_DIRECT HTML hidden text + direct-to-MX

0.0 T_REMOTE_IMAGE Message contains an external image

Subject: {SPAM?} Win Big: Complete Our Survey, Claim Your Prize

X-Antivirus: AVG (VPS 240223-0, 2/22/2024), Inbound message

X-Antivirus-Status: Clean



--cd4afNeJzQsgzn5EVIgmycg24Xks3Rpw

Content-Type: multipart/alternative; boundary="K6aS6sPy1pTHPnu11t8etH"



--K6aS6sPy1pTHPnu11t8etH

Content-Type: text/plain; charset="iso-8859-1"

Content-Transfer-Encoding: quoted-printable



b1SeBjHoxRe8M b1SeBjHoxRe8M b1SeBjHoxRe8M b1SeBjHoxRe8M

v597u2lhqhukn v597u2lhqhukn v597u2lhqhukn v597u2lhqhukn

elOR7qramkc3 elOR7qramkc3 elOR7qramkc3 elOR7qramkc3

2ehdBNC4DV 2ehdBNC4DV 2ehdBNC4DV 2ehdBNC4DV



--K6aS6sPy1pTHPnu11t8etH

Content-Type: text/html; charset="iso-8859-1"

Content-Transfer-Encoding: quoted-printable








1">










Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" clas=

s=3D"elementToProof">







Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" clas=

s=3D"elementToProof">















--K6aS6sPy1pTHPnu11t8etH--

Trackbacks

Trackback specific URI for this entry

This link is not meant to be clicked. It contains the trackback URI for this entry. You can use this URI to send ping- & trackbacks from your own blog to this entry. To copy the link, right click and select "Copy Shortcut" in Internet Explorer or "Copy Link Location" in Mozilla.

No Trackbacks

Comments

Display comments as Linear | Threaded

No comments

Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA