Link to home
Create AccountLog in
Avatar of sfabs
sfabsFlag for United Kingdom of Great Britain and Northern Ireland

asked on

Email Header information clarification (fishing/ whaling)

Ok... I need some help clarifying details in an email header. Some one I know has been fished/whaled (which ever it is). I want to know how it was done.
A genuine email was sent from Seller@realdomain.co.uk to Client with genuine bank details for a transfer. This was followed up with a scam email requesting a change of bank details. BUT the scam email came from Seller@realdomain.co.uk... (I am trying to find out if the seller@realdomain.co.uk was hacked)

Both seller and client domains are on 365 and have SPF records setup. So I would expect spoofing emails to be rejected.

Anyway, below is the header... I would like to understand what it says, these are some of the questions I want answered:
1. is it a spoof email or was it sent through 365 servers (there is no trace in the seller sent items, but could have been deleted)
2. It looks like the email "return" address has been setup as "seller@fakedomain.com.uk" to ensure replies do not reach "seller@realdomain.co.uk" and alert the seller of the scam. I didn't think it was possible with 365 to modify the return address?
3. Can we tell if this was sent through a microsoft portal or outlook?
4. I can see an SPF fail on the header... does this mean the email failed its SPF check but was still allowed through?
5. What other information can be gained?

Header
Received: from DM2PR0401MB0973.namprd04.prod.outlook.com (10.160.98.139) by
 BN1PR0401MB0961.namprd04.prod.outlook.com (10.160.79.12) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id
 15.1.977.11 via Mailbox Transport; Tue, 21 Mar 2017 06:54:40 +0000
Received: from BY2PR04CA038.namprd04.prod.outlook.com (10.141.249.156) by
 DM2PR0401MB0973.namprd04.prod.outlook.com (10.160.98.139) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id
 15.1.977.11; Tue, 21 Mar 2017 06:54:37 +0000
Received: from BN1BFFO11FD022.protection.gbl (2a01:111:f400:7c10::1:166) by
 BY2PR04CA038.outlook.office365.com (2a01:111:e400:2c5e::28) with Microsoft
 SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.977.11 via
 Frontend Transport; Tue, 21 Mar 2017 06:54:37 +0000
Received: from servidor1.izc.com.co (67.210.244.182) by
 BN1BFFO11FD022.mail.protection.outlook.com (10.58.144.85) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id
 15.1.977.7 via Frontend Transport; Tue, 21 Mar 2017 06:54:36 +0000
Received: from [::1] (port=60930 helo=webmail.izc.com.co)      by
 servidor1.izc.com.co with esmtpa (Exim 4.88)      (envelope-from
 <seller@realdomain.co.uk>)      id 1cqDgf-00055N-Ny; Tue, 21 Mar 2017
 01:54:33 -0500
From: Sellerfirstname sellersurname <seller@realdomain.co.uk>
To: Client <clientemail1@clientdomain.com>
CC: "clientemail2@clientdomain.com" <clientemail3@clientdomain.com>
Subject: PANKAJ Invoice from PIRNIA LTD - MIMOSA
Thread-Topic: PANKAJ Invoice from PIRNIA LTD - MIMOSA
Thread-Index: AQHSohADo8rq8eJWy0+/hN8XRKu0lw==
Date: Tue, 21 Mar 2017 06:54:32 +0000
Message-ID: <9bb2c7197d4ae10743087238d09ce93b@realdomain.co.uk>
Reply-To: "seller@fakedomain.com"
      <seller@fakedomain.com>
Content-Language: en-US
X-MS-Exchange-Organization-AuthSource: BN1BFFO11FD022.protection.gbl
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
received-spf: Fail (protection.outlook.com: domain of <realdomain.co.uk>
 does not designate 67.210.244.182 as permitted sender)
 receiver=protection.outlook.com; client-ip=67.210.244.182;
 helo=servidor1.izc.com.co;
X-Microsoft-Exchange-Diagnostics: 1;BN1PR0401MB0961;27:tFhzi/2kyP2ZKRydFCV2IQMvVvYNboEGIs/QjrAzRXzfFebesfns6NnK2NoN+2zwOMtY+LhCf2VktLylYmcE28cS62cc+5jLOizk4DGZnt3V9MeQnWN/UIxNfawn+BOMw3JINrsaYxaJDyCiRGNxJA==
Importance: high
X-Priority: 1
MIME-Version: 1.0
Content-Type: multipart/alternative;
      boundary="_000_9bb2c7197d4ae10743087238d09ce93brealdomaincouk_"
ASKER CERTIFIED SOLUTION
Avatar of Rajul Raj
Rajul Raj
Flag of United Arab Emirates image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Avatar of Pavel Nagaev
1. Message was send from webmail.izc.com.co host
2. Fake return address was created by sender
3.
4. SPF is a mark of spam, but server administrator make desicion what to do with such messages.

It is a usual fake email. You should remember that SMTP protocol allow to fake sender.
Avatar of btan
btan

Try the online header parser - https://mxtoolbox.com/Public/Tools/EmailHeaders.aspx?huid=441d5f33-7f91-4e79-b617-3575797f6d7f

The outlook.com does not designate domain of <realdomain.co.uk>  67.210.244.182 as permitted sender)
You can also try to acertain any red flags besides the SPF check on the company (PIRNIA LTD) as it is supposed to have agents involved in the sale of textiles, clothing, fur, footwear and leather goods. So far, it is a small company and the staff inside does not seems to have that signature of officer called upon PANKAJ. The source can be checked if there are link to the company but do not click any on the email or open its attachment. You can also upload the attachment to VirusTotal for a scan too. This is likely a spam phishing email.  Spoofed sender  if you totally have no engagement  with this company ..
Avatar of sfabs

ASKER

first to reply, complete and good explanation and help