Cookware phish from Microsoft Outlook

Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Sun, 31 Mar 2024 05:23:00 -0600

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.97.1 (FreeBSD))

(envelope-from )

id 1rqtGf-00000000JGh-2Nha

for dave@doctor.nl2k.ab.ca;

Sun, 31 Mar 2024 05:22:29 -0600

Resent-From: The Doctor

Resent-Date: Sun, 31 Mar 2024 05:22:29 -0600

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from mail-lo4gbr01hn2201.outbound.protection.outlook.com ([52.100.228.201]:60813 helo=GBR01-LO4-obe.outbound.protection.outlook.com)

by doctor.nl2k.ab.ca with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

(Exim 4.97.1 (FreeBSD))

(envelope-from )

id 1rqklj-000000004W9-196v

for root@nk.ca;

Sat, 30 Mar 2024 20:18:04 -0600

ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;

b=noB2Itdt/GsrrBmubW44hhZgBv860J1V7VOjvPxyJmLGVW8F0nEXnNZta9JujGLbud1YoHAYTujzrE08YXjmXYaS2Im0wxX+S764+twC+J5DR+mvhFPpJsd6KNCMz8DmQdNzB7Prm3U+TwCwO/omHuZSwySjKfV4aXerLdU8JEXU7iHT1qigZGSDjZyt/38iTI5LPdh1CwOp2ecDf9MpU9mfchEH/bAsN9nNWNuMnsCBY/yYqBDMQhOYpnxEuN+u8G+y+t/UZYGytnLyk49NKLy55BrIxCersLK9SE4AtL9zuR5OAZMgqN7sGaIIu74q4l9OytJJcKhS3ceOTO1UOw==

ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;

s=arcselector9901;

h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;

bh=teJV22+gWCVaKKxjxeOlM3x5agwLrBx25Gm4tNRlq5o=;

b=j5DO2Tp47z1zaeRDTZbLQbUojWDSPF+gxC/TMHcp2vqrcLJ/Q7Z/1wk67oh4rPFfYhmgn2mb+M7VRvWClJ5kSi5OuNBCDXLqDBQ2baRgTVa1OqC/Uw7hjkzGSXIuyUj+CcoDQswqfTgxa0jEL6ACZNIM0Z8a6ojzCrtm60xAyr9zfsLDyv204q8uC8l260CPAmiYzkmXLY0Al3zI1unjK1dB/gXD02yxVqBdTTwgHhOYk6JHqBcic3p6dSte+cKZ87QBbmWusPdKk3PL0cyQnKjt/DTjx/jeDbunbe7wRdT3pTcZudK7gCmTquFbPz9RKRAE8c93gOtkhDvedhjJJA==

ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=fail (sender ip is

45.11.93.53) smtp.rcpttodomain=nk.ca smtp.mailfrom=zmbhksu.onmicrosoft.com;

dmarc=none action=none header.from=zmbhksu.onmicrosoft.com; dkim=none

(message not signed); arc=none (0)

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;

d=wetherbyprepstudentscouk.onmicrosoft.com;

s=selector1-wetherbyprepstudentscouk-onmicrosoft-com;

h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;

bh=teJV22+gWCVaKKxjxeOlM3x5agwLrBx25Gm4tNRlq5o=;

b=XdjaNl7icLdwMo6exIUplqjn4l5rHBHTX9I9rhJs6KFXHcNYoSvMvvB2wm88NYftrw8ImwpNMsUwbEJ6a+QWbOcd+/3WAxPF14RAxaeR3h/kj7f3YaanWbwATco+x6mVcctwDa+UBHEVUkKwaJZLnULWe4kkngQj1tF0eLRtOLw=

X-MS-Exchange-Authentication-Results: spf=fail (sender IP is 45.11.93.53)

smtp.mailfrom=zmbhksu.onmicrosoft.com; dkim=none (message not signed)

header.d=none;dmarc=none action=none header.from=zmbhksu.onmicrosoft.com;

To: root@aol.com

Msip_labels:

Cc: root@aol.com

Message-ID:

Thread-Topic: Experience Pure Sound Freedom with Bose Wireless Headphones cGXQgbWm

Content-Type: multipart/related; boundary="m3uIZEHSRyFNX3wOTf8pBBUVFk5P3UpH3Fmxy4pLOr"; type="multipart/alternative"

MIME-Version: 1.0

Accept-Language: en-GB, en-US

Thread-Index: m1tZqap3q4GeMshOrGvh7PGgDSQ2TW==

From: =?UTF-8?B?Q2FuYWRpYW4gVGlyZSBSZXdhcmRz?=

Date: Sun, 31 Mar 2024 02:15:54 +0000

X-MS-Has-Attach: yes

Content-Language: en-US

Subject: "Receive-a-FREE-Rachael.Ray.Cucina.Cookware.Set"

X-EOPAttributedMessage: 0

X-MS-PublicTrafficType: Email

X-MS-TrafficTypeDiagnostic: CW2PEPF000056BE:EE_|LO0P123MB4188:EE_

X-MS-Office365-Filtering-Correlation-Id: b5b988b9-f0a4-44ee-23e0-08dc51287f29

X-MS-Exchange-SenderADCheck: 1

X-MS-Exchange-AntiSpam-Relay: 0

X-Microsoft-Antispam: BCL:0;

X-Microsoft-Antispam-Message-Info:

=?iso-8859-1?Q?yRzEcPomrf5qP4+tQIXnO/ACCPvwgz1nxPgybdqcSRameKehulSi2mV+Dg?=

=?iso-8859-1?Q?p01NkMu5OcP9+BQFRzMjhcNb31RXTNIntLz6O9+o1rn7QlS7qLSiTQ2v16?=

=?iso-8859-1?Q?HZJiwHIiyGJiEMU+tK6R74dYYQsiPwcveo0zv6nHU+Q7eSA8tFeN7zCdrB?=

=?iso-8859-1?Q?zmkN7cSYqxb8ag8uGGoo/mL4mS03J3+nvFXH57t4ZbVWysYkQ3o+4DdMJM?=

=?iso-8859-1?Q?vv7B0W1hWQLTuhTxencvUg8iKv2OASkfD97MsPL2Hr0Z1RadMHkO9iw3Qa?=

=?iso-8859-1?Q?CcwQKvPoWgGlWJF1V4eBDUYg+0eeNVfDUfSKtlWFN2jM49rVc3ClbP6n8n?=

=?iso-8859-1?Q?97ccHB3l5yI6XWhrEL4vk48+6oYZVyYd1LG6BMyp25zOchiFIIjO3T5x0A?=

=?iso-8859-1?Q?/468IPxFhy5fW5ca9p0PrFoIca9H1ewlio3bXWS/sgPv29NvfR4RijXAoK?=

=?iso-8859-1?Q?51L7MSAzOXU5MytMmLMRz+Oyq21rGjJIYS+txe71fGZl7Rdh5eh7RPgegv?=

=?iso-8859-1?Q?BHy+Oj8XBDlWGgTEZLWc4TdMhfZXK67SONreYiwjwng8WJ0YI3u1f8MB8G?=

=?iso-8859-1?Q?gG+8wPKDGjxk3SjPCiu5FJ2ScrO4Z7XsVaWdDaXrB2EiamKNYqOce5YjzH?=

=?iso-8859-1?Q?sO0PjuJDtLZLK28XRwYV3mYd5O1Hw7XPNDudCjTvLvCe7DAgYs7zQz99uh?=

=?iso-8859-1?Q?ZGdTBVC7lXrkx00Jcgcjme/5IcuJz2rW5CrnTlLKHNMTZWogByPu+VzXFn?=

=?iso-8859-1?Q?gfh5FTFAvIezu7uRZBDHLjSkWCRwCC00+Jz6I2DqcKmXIGgPjx8rzuM1pi?=

=?iso-8859-1?Q?WmEYDOR+D/LlQsBdzZJhsTpxUrWoPxDz7SVEt1gH9rrz2pT3wU4bim0kEj?=

=?iso-8859-1?Q?hpUVjgyIEdewjaR1ZRH8evOAsMtxO7hnszGOVUT+a4ip90Fcv9cniHjHfi?=

=?iso-8859-1?Q?zAWxmmUrJSs/Dt2rsXxkp3Wq6MFQFIafVBSWFi6GSibA3MTlloCW99d8+E?=

=?iso-8859-1?Q?7clYl5J6TF7M+HMQOyGTQ2PTKnYKFT2d+i/FMl+WIg9djZcTXDBeEQz4MG?=

=?iso-8859-1?Q?TqPFsOThGJYFbKCOoTuBAPStaQGKR9x+tFaCeeApc5mZe4PpQbyOa5paI6?=

=?iso-8859-1?Q?P+THwI3IK3FmZ4wx8zmQRd3hCsjVhGwba5mhy8kJdma1Qk5se6wfiReDW1?=

=?iso-8859-1?Q?XbbEjHRoedCfSsvKcdYHg0ACwVVGa2zEE2vzP0vqY43w7DLcRKhfGUg3Ox?=

=?iso-8859-1?Q?hN1IhoNT3fncgOfdf7dzL6kH0NKR6irEGCu2lzKB/rFdgMZtnBBJnDx3a4?=

=?iso-8859-1?Q?+VSSUFHj92czkR1XNLCU/TR2GJ2YpmF8a41e1HYMn+iRXqQ7htE2JwG7vh?=

=?iso-8859-1?Q?SjL1uEuXw/bQ0YQlKvP1L0XdirQ08UG4fsdjMMqS2Pm2IBthXbA+kytghC?=

=?iso-8859-1?Q?T+NlhnvcUnZPngrr?=

X-Forefront-Antispam-Report:

CIP:45.11.93.53;CTRY:US;LANG:en;SCL:8;SRV:;IPV:CAL;SFV:SPM;H:zmbhksu.onmicrosoft.com;PTR:InfoDomainNonexistent;CAT:OSPM;SFS:(13230031)(4093299003)(36860700004)(376005)(82310400014)(61400799018)(41320700004)(34020700007)(4143199003);DIR:OUT;SFP:1501;

X-OriginatorOrg: zmbhksu.onmicrosoft.com

X-MS-Exchange-CrossTenant-OriginalArrivalTime: 31 Mar 2024 02:15:54.8399

(UTC)

X-MS-Exchange-CrossTenant-Network-Message-Id: b5b988b9-f0a4-44ee-23e0-08dc51287f29

X-MS-Exchange-CrossTenant-Id: 758d6117-8a63-4a5d-8dd9-7339a955921a

X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=758d6117-8a63-4a5d-8dd9-7339a955921a;Ip=[45.11.93.53];Helo=[zmbhksu.onmicrosoft.com]

X-MS-Exchange-CrossTenant-AuthSource: CW2PEPF000056BE.GBRP265.PROD.OUTLOOK.COM

X-MS-Exchange-CrossTenant-AuthAs: Anonymous

X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem

X-MS-Exchange-Transport-CrossTenantHeadersStamped: LO0P123MB4188

X-Spam_score: 7.3

X-Spam_score_int: 73

X-Spam_bar: +++++++

X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original

message has been attached to this so you can view it or label

similar future email. If you have any questions, see

@@CONTACT_ADDRESS@@ for details.



Content preview: Exclusive-Survey-Reward: Get a Rachael Ray Cucina Cookware

Set ylY3PZxw98Lzf ylY3PZxw98Lzf ylY3PZxw98Lzf ylY3PZxw98Lzf ylY3PZxw98Lzf

ylY3PZxw98Lzf ylY3PZxw98Lzf ylY3PZxw98Lzf Z3Vq1tr7oOMn Z3Vq1tr7oOMn Z3Vq1tr7oOMn

Z3Vq1tr7oOMn QTQIO1r9WI QTQIO1r9WI QTQIO1r9WI QTQ [...]



Content analysis details: (7.3 points, 5.0 required)



pts rule name description

---- ---------------------- --------------------------------------------------

-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no

trust

[52.100.228.201 listed in list.dnswl.org]

-0.2 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2)

[52.100.228.201 listed in wl.mailspike.net]

-0.0 SPF_HELO_PASS SPF: HELO matches SPF record

-0.0 SPF_PASS SPF: sender matches SPF record

0.0 ARC_VALID Message has a valid ARC signature

-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature

0.0 ARC_SIGNED Message has a ARC signature

0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid

0.0 AXB_X_FF_SEZ_S Forefront sez this is spam

0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider

[pkonmlcwbam.i7wpm3vgiku33rldqrsctalvog(at)zmbhksu.onmicrosoft.com]

1.6 HTML_IMAGE_ONLY_12 BODY: HTML: images with 800-1200 bytes of words

0.0 HTML_MESSAGE BODY: HTML included in message

0.7 MPART_ALT_DIFF BODY: HTML and text parts are different

0.3 HTML_SHORT_LINK_IMG_2 HTML is very short with a linked image

0.1 FROM_EXCESS_BASE64 From: base64 encoded unnecessarily

3.9 SCC_BOGUS_CTE_1 Bogus Content-Transfer-Encoding header

0.9 STY_INVIS_DIRECT HTML hidden text + direct-to-MX

Subject: {SPAM?} "Receive-a-FREE-Rachael.Ray.Cucina.Cookware.Set"

X-Antivirus: AVG (VPS 240331-0, 3/30/2024), Inbound message

X-Antivirus-Status: Clean



--m3uIZEHSRyFNX3wOTf8pBBUVFk5P3UpH3Fmxy4pLOr

Content-Type: multipart/alternative; boundary="NseTd6P29hAO8VZ5MrP507GXZ1nODU5EvbftjO8CDfWTxKRxaj3U"



--NseTd6P29hAO8VZ5MrP507GXZ1nODU5EvbftjO8CDfWTxKRxaj3U

Content-Type: text/html; charset="iso-8859-1"

Content-Transfer-Encoding: 7bit































--NseTd6P29hAO8VZ5MrP507GXZ1nODU5EvbftjO8CDfWTxKRxaj3U

Content-Type: text/plain; charset="iso-8859-1"

Content-Transfer-Encoding: hexa



ylY3PZxw98Lzf ylY3PZxw98Lzf ylY3PZxw98Lzf ylY3PZxw98Lzf

ylY3PZxw98Lzf ylY3PZxw98Lzf ylY3PZxw98Lzf ylY3PZxw98Lzf

Z3Vq1tr7oOMn Z3Vq1tr7oOMn Z3Vq1tr7oOMn Z3Vq1tr7oOMn

QTQIO1r9WI QTQIO1r9WI QTQIO1r9WI QTQIO1r9WI

ylY3PZxw98Lzf ylY3PZxw98Lzf ylY3PZxw98Lzf ylY3PZxw98Lzf





Z3Vq1tr7oOMn Z3Vq1tr7oOMn Z3Vq1tr7oOMn Z3Vq1tr7oOMn

QTQIO1r9WI QTQIO1r9WI QTQIO1r9WI QTQIO1r9WI

ylY3PZxw98Lzf ylY3PZxw98Lzf ylY3PZxw98Lzf ylY3PZxw98Lzf

Z3Vq1tr7oOMn Z3Vq1tr7oOMn Z3Vq1tr7oOMn Z3Vq1tr7oOMn

QTQIO1r9WI QTQIO1r9WI QTQIO1r9WI QTQIO1r9WI







--NseTd6P29hAO8VZ5MrP507GXZ1nODU5EvbftjO8CDfWTxKRxaj3U--



--m3uIZEHSRyFNX3wOTf8pBBUVFk5P3UpH3Fmxy4pLOr--

Trackbacks

Trackback specific URI for this entry

This link is not meant to be clicked. It contains the trackback URI for this entry. You can use this URI to send ping- & trackbacks from your own blog to this entry. To copy the link, right click and select "Copy Shortcut" in Internet Explorer or "Copy Link Location" in Mozilla.

No Trackbacks

Comments

Display comments as Linear | Threaded

No comments

Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA