RSLCS

EMSISOFT email Spoofing?

Recommended Posts

A few minutes ago I received the following email pretending to be from Emsisoft:

Title: Invoice(s) due

Email address used to send from in my case is: Emsisoft <[email protected]>; (Emsisoft via thealtar.info)

 Header info:

Received: from CY4PR10MB1989.namprd10.prod.outlook.com
 (2a01:111:e400:7a4d::51) by BN6PR10MB1986.namprd10.prod.outlook.com with
 HTTPS via BN3PR03CA0091.NAMPRD03.PROD.OUTLOOK.COM; Mon, 19 Aug 2019 09:39:22
 +0000
Received: from MWHPR10CA0050.namprd10.prod.outlook.com (2603:10b6:300:2c::12)
 by CY4PR10MB1989.namprd10.prod.outlook.com (2603:10b6:903:11a::12) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2178.18; Mon, 19 Aug
 2019 09:39:21 +0000
Received: from SN1NAM01FT044.eop-nam01.prod.protection.outlook.com
 (2a01:111:f400:7e40::200) by MWHPR10CA0050.outlook.office365.com
 (2603:10b6:300:2c::12) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2178.16 via Frontend
 Transport; Mon, 19 Aug 2019 09:39:21 +0000
Authentication-Results: spf=none (sender IP is 173.201.192.186)
 smtp.mailfrom=thealtar.info; rslcomputers.com; dkim=none (message not signed)
 header.d=none;rslcomputers.com; dmarc=fail action=quarantine
 header.from=emsisoft.com;compauth=fail reason=000
Received-SPF: None (protection.outlook.com: thealtar.info does not designate
 permitted sender hosts)
Received: from p3plwbeout14-03.prod.phx3.secureserver.net (173.201.192.186) by
 SN1NAM01FT044.mail.protection.outlook.com (10.152.65.225) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id
 15.20.2178.16 via Frontend Transport; Mon, 19 Aug 2019 09:39:20 +0000
Received: from p3plgemwbe14-06.prod.phx3.secureserver.net ([173.201.192.155])
    by :WBEOUT: with SMTP
    id ze7lhNK5aCOgBze7lhwknU; Mon, 19 Aug 2019 02:38:49 -0700
X-SID: ze7lhNK5aCOgB
Received: (qmail 27063 invoked by uid 99); 19 Aug 2019 09:38:49 -0000
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="utf-8"
X-Originating-IP: 185.232.22.204
User-Agent: Workspace Webmail 6.9.59
Message-Id: <[email protected]mail14.godaddy.com>
From: "Emsisoft" <[email protected]>
X-Sender: [email protected]
Reply-To: "Emsisoft" <[email protected]>
To:
Subject: Invoice(s) Due
Date: Mon, 19 Aug 2019 02:38:45 -0700
Mime-Version: 1.0
X-CMAE-Envelope: MS4wfNBVZhrgbzXKdfKr1g3R1v01SOMJCYE71uYLEPOCW6VDE41cWKCv7iHHNTdC6CSMpKrRBN9gzyc6R+x1ZE9gEE58qyHEvRbUeO3sWK/Ri6lGI+ly5Vu5
 2vf/q1wNG30vIoGlPuQpfq/tBA6juYsp/5fyBnkXgt9EfEXcSAhUtSyb2dhk8XxuyKhq0EaMYn1kljHRTU14NKeJP5MjPspAqxw=
Return-Path: [email protected]
X-MS-Exchange-Organization-ExpirationStartTime: 19 Aug 2019 09:39:20.6845
 (UTC)
X-MS-Exchange-Organization-ExpirationStartTimeReason: OriginalSubmit
X-MS-Exchange-Organization-ExpirationInterval: 1:00:00:00.0000000
X-MS-Exchange-Organization-ExpirationIntervalReason: OriginalSubmit
X-MS-Exchange-Organization-Network-Message-Id:
 76c22b4c-30f7-46be-477e-08d724891cb3
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: dff0cfe4-0774-41ed-a299-d72b333064a1:0
X-MS-Exchange-Organization-MessageDirectionality: Incoming
X-Matching-Connectors:
 132106811607365733;();(30aae98b-e46d-47eb-c8af-08d3b25b0f82,ff47d72d-0fa9-4508-46b6-08d429cf5cf9,4aa9d499-1c82-4814-693f-08d51fe40331)
X-Forefront-Antispam-Report:
 CIP:173.201.192.186;IPV:NLI;CTRY:US;EFV:NLI;SFV:SPM;SFS:(10001);DIR:INB;SFP:;SCL:5;SRVR:CY4PR10MB1989;H:p3plwbeout14-03.prod.phx3.secureserver.net;FPR:;SPF:None;LANG:en;CAT:SPM;
X-MS-Exchange-Organization-AuthSource:
 SN1NAM01FT044.eop-nam01.prod.protection.outlook.com
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 76c22b4c-30f7-46be-477e-08d724891cb3
X-Microsoft-Antispam:
 BCL:0;PCL:0;RULEID:(2390118)(7020095)(4652040)(5600148)(711020)(4605104)(4710121)(4712094)(1403117)(71702078)(7193020);SRVR:CY4PR10MB1989;
X-MS-TrafficTypeDiagnostic: CY4PR10MB1989:
X-MS-Exchange-PUrlCount: 1
X-MS-Oob-TLC-OOBClassifiers: OLM:8882;
X-MS-Exchange-Organization-SCL: 5
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 19 Aug 2019 09:39:20.5254
 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 76c22b4c-30f7-46be-477e-08d724891cb3
X-MS-Exchange-CrossTenant-Id: dff0cfe4-0774-41ed-a299-d72b333064a1
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR10MB1989
X-MS-Exchange-Transport-EndToEndLatency: 00:00:01.8374783
X-MS-Exchange-Processed-By-BccFoldering: 15.20.2178.000
X-Microsoft-Antispam-Mailbox-Delivery:
    dwl:1;ucf:0;jmr:0;ex:0;auth:0;dest:I;ENG:(20160513016)(750119)(520011016)(520008050)(702028)(944506383)(944626516);
X-Microsoft-Antispam-Message-Info:
    =?us-ascii?Q?zxTIkmxboA8V3HWwi2SWFCPnZs4f45S1m/nHTLKnr4HKWtXjcqLKzGpHYrQ1?=
 =?us-ascii?Q?Fp8H5p7fUFZBfDvqnygf5XZoWluTqwKJqHLQLR/+MQXILfUnAQdTrkoVUNuS?=
 =?us-ascii?Q?HEUsBMrSz8tS3yAGVGgje8/7AM140W24Tqlzc++N/6OGsfiYpjkuyrZgwDsr?=
 =?us-ascii?Q?splE9rOc88b1ccUQGqKieYy/udeq/Pmd6YpqRnXPW2sLYNJ2UeTYNCUtsYYi?=
 =?us-ascii?Q?Fc3dsbZUTr6oCRDZrMmPPyZEkZpNuxq0wua0XNRvDamdyOWjgbB8J0II2tY2?=
 =?us-ascii?Q?2y/WtZ8yoN/XwcqKDl33xjPDIGTBq8t2Y7RtwdcmxMVgvswB7AwQFrN+IIY/?=
 =?us-ascii?Q?TWiBmw5qJYb0vIxUfTFI+f9ON/8fRSiIrlvvURhLKkwiY12Izm2SC0b3EuSP?=
 =?us-ascii?Q?7dQDLhf78CyJO42XKDrtYpd40bLe+GC9Li4yuEeBy8bgru5W5YFxf+diJnpK?=
 =?us-ascii?Q?l/aRWFCpjfrmcldpUcQZW1/O1Py+5HeQ5YyQ1U3wTjY92br4PEgV2gra4EyB?=
 =?us-ascii?Q?5UTXbAf2vRwcweFkGuL89QwDG928QQeH94EO8GLOSjZW7mbPMzVHbLjLM8iV?=
 =?us-ascii?Q?ZOKIL/iyLUQnNGrXnFsBOvVmUFq+ZTSksEWBpaayeQrax/qOHljRBm5bQQuc?=
 =?us-ascii?Q?5dmgS5Z545wFUA95NEkiUN8TY9OeFdoeVQ28hhUghHCFeTnesL4mlhQw3HI8?=
 =?us-ascii?Q?axTIa7EblveXKYroxaeat/X+CTIw3jSneJhpyyko4pSDBiMiY9Q9kSqkA3We?=
 =?us-ascii?Q?e3ai+8n0PxjZEb2KPL9Knj6zyOjam+zns388wov0zWqkH5zhK0+h9gqVh6hA?=
 =?us-ascii?Q?t5UHRe0HZGwx/jowtsGey+/EKv5Ga+eesQjUCsffLtIsYtX2J4e76F3cOzy1?=
 =?us-ascii?Q?Z1R4vZwHqPqe5fL5r5UnIYu51RpOmcr0DvlKvgfQ8bIbUpRQKbJ9sgIsgwPc?=
 =?us-ascii?Q?HZMsJjj7NEfes5AgNd3Eu3unEsNZp7cJyK7Pl0Sg+cVqV7pW5d+9fcH0LHuL?=
 =?us-ascii?Q?ikxyu4Gkb9tWeydxi7u8nuLTsfCqjVpQ1yO+PuXpNxHF8YfvmRVbWBVVc849?=
 =?us-ascii?Q?dJp4b6/3/I+1xj319lehdBYAl2eN7a7Or5Anj3RWKVGwhy7YU4yeGL6rakBA?=
 =?us-ascii?Q?V++x0Ejjqwvm+2F1LTlP7whfLWkMySMQoLx2srdtT2fSsJzlrVTt4aHv9yvZ?=
 =?us-ascii?Q?aY/jfIdBmRBH+YtaTf/OslPVPQCQvtBgnnTou+u+jSTxXt3EcIDELEC1UZa7?=
 =?us-ascii?Q?bXSIz2JWe1frgmWUO0v5mYgX4vUYEC7IcEWh97ef6VUG6NsITAubTWyaVIDu?=
 =?us-ascii?Q?E4Q4Y++2D+mAmG3kfRwgJQKEdKJHeyd880RxkKfPgjq5exDs4dnnplvMAc9H?=
 =?us-ascii?Q?FtxVXPZfyU3AHn9v7UmLdvKpgh7Hqt3GSohCe1gEDDGPAS9BiQ4YVtnLI4dc?=
 =?us-ascii?Q?ROAZVYlsHGDCNT1LWmC7i87zWkVEqllLDwzwZwTQlIME8klgfrKUOWs26Bx1?=
 =?us-ascii?Q?xZ9tlkl0o713MvU=3D?=

 

 

Here is the email message I received

Hello Mr/Mrs,

 

 

acknowledge this message is for our record purposes.

 

Kindly re-confirm to us with the status of our Due invoices, as we currently have to give you a new updated Bank information.

 

I will like to draw your attention to the fact that due to high taxes imposed by the government, we no longer receive payments in our local account. Hence the reason for our earliest mail to you.

 

Subsequently to your acknowledgement of this mail, please let me know when you will be making payment to enable me send you our updated account information. We apologies for any inconvenience this may bring to you.

 

 

Your immediate response will be highly appreciated, and if you do have any Question, do let us know.

 

Regards,

 

Mrs Joy

 

Accounting Team

 

Share this post


Link to post
Share on other sites

Funny, considering that the e-mail failed validation, I'm surprised your mail server didn't block it.

Authentication-Results: spf=none (sender IP is 173.201.192.186)
 smtp.mailfrom=thealtar.info; rslcomputers.com; dkim=none (message not signed)
 header.d=none;rslcomputers.com; dmarc=fail action=quarantine
 header.from=emsisoft.com;compauth=fail reason=000
Received-SPF: None (protection.outlook.com: thealtar.info does not designate
 permitted sender hosts)

The last time I checked, both DKIM and DMARC are configured for our domain, so both should validate if it's a legitimate e-mail from us.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.