hinet phish involving payment
Posted by Dave Yadallee on
Return-path:
Envelope-to: dave@doctor.nl2k.ab.ca
Delivery-date: Tue, 05 Sep 2023 14:15:04 -0600
Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.96 (FreeBSD))
(envelope-from)
id 1qdc76-000Lqy-2F
for dave@doctor.nl2k.ab.ca;
Tue, 05 Sep 2023 13:53:28 -0600
Resent-From: The Doctor
Resent-Date: Tue, 5 Sep 2023 13:53:28 -0600
Resent-Message-ID:
Resent-To: Dave Yadallee
Received: from 60-249-148-149.hinet-ip.hinet.net ([60.249.148.149]:56598 helo=secure.net)
by doctor.nl2k.ab.ca with esmtp (Exim 4.96 (FreeBSD))
(envelope-from)
id 1qdbWG-000MST-0B
for root@mail.nl2k.ab.ca;
Tue, 05 Sep 2023 13:15:31 -0600
From: Adobe_Share_Payment_Doc
To: root@mail.nl2k.ab.ca
Subject: ** VIRUS ***Merchant/Payroll (Invoice) Payment Document Via Adobe share
Date: 06 Sep 2023 03:13:00 +0800
Message-ID: <20230906031300.B1C1D83ABCA4E797@secure.net>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0012_E2123A9E.CAC34C29"
X-Spam_score: 5.5
X-Spam_score_int: 55
X-Spam_bar: +++++
X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",
has identified this incoming email as possible spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
@@CONTACT_ADDRESS@@ for details.
Content preview: You’re all done. Attached is the final agreement for your
reference. You're required to sign EFT Invoice #7801 Payment Approved- Agreement
Attached is the final agreement for your approved EFT Invoice. The document
is encrypted and attached to your email for your safety.
Content analysis details: (5.5 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
1.6 RCVD_IN_BRBL_LASTEXT RBL: No description available.
[60.249.148.149 listed in bb.barracudacentral.org]
1.9 URIBL_ABUSE_SURBL Contains an URL listed in the ABUSE SURBL blocklist
[URI: cdn.glitch.me]
0.0 TVD_RCVD_IP Message was received from an IP address
0.0 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar or identical to
background
1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
0.0 HTML_MESSAGE BODY: HTML included in message
-0.0 T_SCC_BODY_TEXT_LINE No description available.
0.0 T_HTML_ATTACH HTML attachment to bypass scanning?
0.4 RDNS_DYNAMIC Delivered to internal network by host with
dynamic-looking rDNS
0.0 KHOP_HELO_FCRDNS Relay HELO differs from its IP's reverse DNS
0.0 FILL_THIS_FORM Fill in a form with personal information
0.0 T_FILL_THIS_FORM_FRAUD_PHISH Answer suspicious question(s)
0.4 FILL_THIS_FORM_FRAUD_PHISH Answer suspicious question(s)
Subject: ** VIRUS ***{SPAM?} Merchant/Payroll (Invoice) Payment Document Via Adobe share
X-Antivirus: AVG (VPS 230905-4, 9/5/2023), Inbound message
X-Antivirus-Status: Infected
X-Attachment: Adobe_Approved_(Invoice)_Payment.html#1246483431 Virus: HTML:Phishing-CJK [Phish] Moved to chest
This is a multi-part message in MIME format.
------=_NextPart_000_0012_E2123A9E.CAC34C29
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
=3DUTF-8"/>
ss=3D"_xWdq isFirstCard jCu2s" style=3D"PADDING-BOTTOM: 12px; PADDING-TOP: =
0px; PADDING-LEFT: 12px; MARGIN-LEFT: 8px; PADDING-RIGHT: 12px; MARGIN-RIGH=
T: 20px">
dex=3D0 aria-label=3D"Opens Profile Card for Pella Austin" class=3D"undefin=
ed lpc-hoverTarget" data-is-focusable=3D"true" data-lpc-hover-target-id=3D"=
react-target-v2-500">
coin-374">
=Envelope-to: dave@doctor.nl2k.ab.ca
Delivery-date: Tue, 05 Sep 2023 14:15:04 -0600
Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.96 (FreeBSD))
(envelope-from
id 1qdc76-000Lqy-2F
for dave@doctor.nl2k.ab.ca;
Tue, 05 Sep 2023 13:53:28 -0600
Resent-From: The Doctor
Resent-Date: Tue, 5 Sep 2023 13:53:28 -0600
Resent-Message-ID:
Resent-To: Dave Yadallee
Received: from 60-249-148-149.hinet-ip.hinet.net ([60.249.148.149]:56598 helo=secure.net)
by doctor.nl2k.ab.ca with esmtp (Exim 4.96 (FreeBSD))
(envelope-from
id 1qdbWG-000MST-0B
for root@mail.nl2k.ab.ca;
Tue, 05 Sep 2023 13:15:31 -0600
From: Adobe_Share_Payment_Doc
To: root@mail.nl2k.ab.ca
Subject: ** VIRUS ***Merchant/Payroll (Invoice) Payment Document Via Adobe share
Date: 06 Sep 2023 03:13:00 +0800
Message-ID: <20230906031300.B1C1D83ABCA4E797@secure.net>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0012_E2123A9E.CAC34C29"
X-Spam_score: 5.5
X-Spam_score_int: 55
X-Spam_bar: +++++
X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",
has identified this incoming email as possible spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
@@CONTACT_ADDRESS@@ for details.
Content preview: You’re all done. Attached is the final agreement for your
reference. You're required to sign EFT Invoice #7801 Payment Approved- Agreement
Attached is the final agreement for your approved EFT Invoice. The document
is encrypted and attached to your email for your safety.
Content analysis details: (5.5 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
1.6 RCVD_IN_BRBL_LASTEXT RBL: No description available.
[60.249.148.149 listed in bb.barracudacentral.org]
1.9 URIBL_ABUSE_SURBL Contains an URL listed in the ABUSE SURBL blocklist
[URI: cdn.glitch.me]
0.0 TVD_RCVD_IP Message was received from an IP address
0.0 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar or identical to
background
1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
0.0 HTML_MESSAGE BODY: HTML included in message
-0.0 T_SCC_BODY_TEXT_LINE No description available.
0.0 T_HTML_ATTACH HTML attachment to bypass scanning?
0.4 RDNS_DYNAMIC Delivered to internal network by host with
dynamic-looking rDNS
0.0 KHOP_HELO_FCRDNS Relay HELO differs from its IP's reverse DNS
0.0 FILL_THIS_FORM Fill in a form with personal information
0.0 T_FILL_THIS_FORM_FRAUD_PHISH Answer suspicious question(s)
0.4 FILL_THIS_FORM_FRAUD_PHISH Answer suspicious question(s)
Subject: ** VIRUS ***{SPAM?} Merchant/Payroll (Invoice) Payment Document Via Adobe share
X-Antivirus: AVG (VPS 230905-4, 9/5/2023), Inbound message
X-Antivirus-Status: Infected
X-Attachment: Adobe_Approved_(Invoice)_Payment.html#1246483431 Virus: HTML:Phishing-CJK [Phish] Moved to chest
This is a multi-part message in MIME format.
------=_NextPart_000_0012_E2123A9E.CAC34C29
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
=3DUTF-8"/>
ss=3D"_xWdq isFirstCard jCu2s" style=3D"PADDING-BOTTOM: 12px; PADDING-TOP: =
0px; PADDING-LEFT: 12px; MARGIN-LEFT: 8px; PADDING-RIGHT: 12px; MARGIN-RIGH=
T: 20px">
dex=3D0 aria-label=3D"Opens Profile Card for Pella Austin" class=3D"undefin=
ed lpc-hoverTarget" data-is-focusable=3D"true" data-lpc-hover-target-id=3D"=
react-target-v2-500">
coin-374">
&=
nbsp;
nbsp;
z8y1T GNqVo yxtKT allowTextSelection">
OR: #f0f0f0" cellSpacing=3D16 cellPadding=3D0 border=3D0>
cellSpacing=3D0 cellPadding=3D0 align=3Dcenter border=3D0>
|
R: #ffffff; LINE-HEIGHT: 18px" vAlign=3Dtop width=3D39 align=3Dright>
tyle=3D"DISPLAY: inline-block; BACKGROUND-COLOR: #ff0000" border=3D0 alt=3D=
Adobe src=3D"https://na4.documents.adobe.com/images/emailNextGen/email-adob=
e-tag-classic@2x.png" width=3D39 height=3D64 data-imagetype=3D"External"> <=
/TD>
IN-LEFT: auto; DISPLAY: block; MARGIN-RIGHT: auto" alt=3D"" src=3D"https://= na4.documents.adobe.com/images/emailNextGen/checkmarkCircle@2x.png" data-im= agetype=3D"External"> f; DISPLAY: none !important; LINE-HEIGHT: 1px; MAX-HEIGHT: 0px; VISIBILITY:= hidden; opacity: 0">You’re all done. Attached is the final agreement= for your reference. GN: center; MARGIN: 0px">You're required to sign =3Dtrue>EFT Invoice #7801 Payment Approved- Agreement > GN: center; MARGIN: 0px"> GN: center; MARGIN: 0px">
|
To ensure that you continue receiving our = © 2022 Adobe. All rights reserved. |
V>
------=_NextPart_000_0012_E2123A9E.CAC34C29--
Trackbacks
Trackback specific URI for this entryThis link is not meant to be clicked. It contains the trackback URI for this entry. You can use this URI to send ping- & trackbacks from your own blog to this entry. To copy the link, right click and select "Copy Shortcut" in Internet Explorer or "Copy Link Location" in Mozilla.
No Trackbacks
Comments
Display comments as Linear | ThreadedNo comments