We help IT Professionals succeed at work.
Get Started

Email Header information clarification (fishing/ whaling)

sfabs
sfabs asked
on
389 Views
Last Modified: 2018-03-27
Ok... I need some help clarifying details in an email header. Some one I know has been fished/whaled (which ever it is). I want to know how it was done.
A genuine email was sent from Seller@realdomain.co.uk to Client with genuine bank details for a transfer. This was followed up with a scam email requesting a change of bank details. BUT the scam email came from Seller@realdomain.co.uk... (I am trying to find out if the seller@realdomain.co.uk was hacked)

Both seller and client domains are on 365 and have SPF records setup. So I would expect spoofing emails to be rejected.

Anyway, below is the header... I would like to understand what it says, these are some of the questions I want answered:
1. is it a spoof email or was it sent through 365 servers (there is no trace in the seller sent items, but could have been deleted)
2. It looks like the email "return" address has been setup as "seller@fakedomain.com.uk" to ensure replies do not reach "seller@realdomain.co.uk" and alert the seller of the scam. I didn't think it was possible with 365 to modify the return address?
3. Can we tell if this was sent through a microsoft portal or outlook?
4. I can see an SPF fail on the header... does this mean the email failed its SPF check but was still allowed through?
5. What other information can be gained?

Header
Received: from DM2PR0401MB0973.namprd04.prod.outlook.com (10.160.98.139) by
 BN1PR0401MB0961.namprd04.prod.outlook.com (10.160.79.12) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id
 15.1.977.11 via Mailbox Transport; Tue, 21 Mar 2017 06:54:40 +0000
Received: from BY2PR04CA038.namprd04.prod.outlook.com (10.141.249.156) by
 DM2PR0401MB0973.namprd04.prod.outlook.com (10.160.98.139) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id
 15.1.977.11; Tue, 21 Mar 2017 06:54:37 +0000
Received: from BN1BFFO11FD022.protection.gbl (2a01:111:f400:7c10::1:166) by
 BY2PR04CA038.outlook.office365.com (2a01:111:e400:2c5e::28) with Microsoft
 SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.977.11 via
 Frontend Transport; Tue, 21 Mar 2017 06:54:37 +0000
Received: from servidor1.izc.com.co (67.210.244.182) by
 BN1BFFO11FD022.mail.protection.outlook.com (10.58.144.85) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id
 15.1.977.7 via Frontend Transport; Tue, 21 Mar 2017 06:54:36 +0000
Received: from [::1] (port=60930 helo=webmail.izc.com.co)      by
 servidor1.izc.com.co with esmtpa (Exim 4.88)      (envelope-from
 <seller@realdomain.co.uk>)      id 1cqDgf-00055N-Ny; Tue, 21 Mar 2017
 01:54:33 -0500
From: Sellerfirstname sellersurname <seller@realdomain.co.uk>
To: Client <clientemail1@clientdomain.com>
CC: "clientemail2@clientdomain.com" <clientemail3@clientdomain.com>
Subject: PANKAJ Invoice from PIRNIA LTD - MIMOSA
Thread-Topic: PANKAJ Invoice from PIRNIA LTD - MIMOSA
Thread-Index: AQHSohADo8rq8eJWy0+/hN8XRKu0lw==
Date: Tue, 21 Mar 2017 06:54:32 +0000
Message-ID: <9bb2c7197d4ae10743087238d09ce93b@realdomain.co.uk>
Reply-To: "seller@fakedomain.com"
      <seller@fakedomain.com>
Content-Language: en-US
X-MS-Exchange-Organization-AuthSource: BN1BFFO11FD022.protection.gbl
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
received-spf: Fail (protection.outlook.com: domain of <realdomain.co.uk>
 does not designate 67.210.244.182 as permitted sender)
 receiver=protection.outlook.com; client-ip=67.210.244.182;
 helo=servidor1.izc.com.co;
X-Microsoft-Exchange-Diagnostics: 1;BN1PR0401MB0961;27:tFhzi/2kyP2ZKRydFCV2IQMvVvYNboEGIs/QjrAzRXzfFebesfns6NnK2NoN+2zwOMtY+LhCf2VktLylYmcE28cS62cc+5jLOizk4DGZnt3V9MeQnWN/UIxNfawn+BOMw3JINrsaYxaJDyCiRGNxJA==
Importance: high
X-Priority: 1
MIME-Version: 1.0
Content-Type: multipart/alternative;
      boundary="_000_9bb2c7197d4ae10743087238d09ce93brealdomaincouk_"
Comment
Watch Question
Information Security Officer
Commented:
This problem has been solved!
Unlock 1 Answer and 4 Comments.
See Answer
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE