Avatar of sfabs
Flag for United Kingdom of Great Britain and Northern Ireland asked on

Email Header information clarification (fishing/ whaling)

Ok... I need some help clarifying details in an email header. Some one I know has been fished/whaled (which ever it is). I want to know how it was done.
A genuine email was sent from Seller@realdomain.co.uk to Client with genuine bank details for a transfer. This was followed up with a scam email requesting a change of bank details. BUT the scam email came from Seller@realdomain.co.uk... (I am trying to find out if the seller@realdomain.co.uk was hacked)

Both seller and client domains are on 365 and have SPF records setup. So I would expect spoofing emails to be rejected.

Anyway, below is the header... I would like to understand what it says, these are some of the questions I want answered:
1. is it a spoof email or was it sent through 365 servers (there is no trace in the seller sent items, but could have been deleted)
2. It looks like the email "return" address has been setup as "seller@fakedomain.com.uk" to ensure replies do not reach "seller@realdomain.co.uk" and alert the seller of the scam. I didn't think it was possible with 365 to modify the return address?
3. Can we tell if this was sent through a microsoft portal or outlook?
4. I can see an SPF fail on the header... does this mean the email failed its SPF check but was still allowed through?
5. What other information can be gained?

Received: from DM2PR0401MB0973.namprd04.prod.outlook.com ( by
 BN1PR0401MB0961.namprd04.prod.outlook.com ( with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id
 15.1.977.11 via Mailbox Transport; Tue, 21 Mar 2017 06:54:40 +0000
Received: from BY2PR04CA038.namprd04.prod.outlook.com ( by
 DM2PR0401MB0973.namprd04.prod.outlook.com ( with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id
 15.1.977.11; Tue, 21 Mar 2017 06:54:37 +0000
Received: from BN1BFFO11FD022.protection.gbl (2a01:111:f400:7c10::1:166) by
 BY2PR04CA038.outlook.office365.com (2a01:111:e400:2c5e::28) with Microsoft
 SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.977.11 via
 Frontend Transport; Tue, 21 Mar 2017 06:54:37 +0000
Received: from servidor1.izc.com.co ( by
 BN1BFFO11FD022.mail.protection.outlook.com ( with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id
 15.1.977.7 via Frontend Transport; Tue, 21 Mar 2017 06:54:36 +0000
Received: from [::1] (port=60930 helo=webmail.izc.com.co)      by
 servidor1.izc.com.co with esmtpa (Exim 4.88)      (envelope-from
 <seller@realdomain.co.uk>)      id 1cqDgf-00055N-Ny; Tue, 21 Mar 2017
 01:54:33 -0500
From: Sellerfirstname sellersurname <seller@realdomain.co.uk>
To: Client <clientemail1@clientdomain.com>
CC: "clientemail2@clientdomain.com" <clientemail3@clientdomain.com>
Subject: PANKAJ Invoice from PIRNIA LTD - MIMOSA
Thread-Topic: PANKAJ Invoice from PIRNIA LTD - MIMOSA
Thread-Index: AQHSohADo8rq8eJWy0+/hN8XRKu0lw==
Date: Tue, 21 Mar 2017 06:54:32 +0000
Message-ID: <9bb2c7197d4ae10743087238d09ce93b@realdomain.co.uk>
Reply-To: "seller@fakedomain.com"
Content-Language: en-US
X-MS-Exchange-Organization-AuthSource: BN1BFFO11FD022.protection.gbl
received-spf: Fail (protection.outlook.com: domain of <realdomain.co.uk>
 does not designate as permitted sender)
 receiver=protection.outlook.com; client-ip=;
X-Microsoft-Exchange-Diagnostics: 1;BN1PR0401MB0961;27:tFhzi/2kyP2ZKRydFCV2IQMvVvYNboEGIs/QjrAzRXzfFebesfns6NnK2NoN+2zwOMtY+LhCf2VktLylYmcE28cS62cc+5jLOizk4DGZnt3V9MeQnWN/UIxNfawn+BOMw3JINrsaYxaJDyCiRGNxJA==
Importance: high
X-Priority: 1
MIME-Version: 1.0
Content-Type: multipart/alternative;
Digital ForensicsAntiSpam

Avatar of undefined
Last Comment

8/22/2022 - Mon
Rajul Raj

View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
Pavel Nagaev

1. Message was send from webmail.izc.com.co host
2. Fake return address was created by sender
4. SPF is a mark of spam, but server administrator make desicion what to do with such messages.

It is a usual fake email. You should remember that SMTP protocol allow to fake sender.

Try the online header parser - https://mxtoolbox.com/Public/Tools/EmailHeaders.aspx?huid=441d5f33-7f91-4e79-b617-3575797f6d7f

The outlook.com does not designate domain of <realdomain.co.uk> as permitted sender)
You can also try to acertain any red flags besides the SPF check on the company (PIRNIA LTD) as it is supposed to have agents involved in the sale of textiles, clothing, fur, footwear and leather goods. So far, it is a small company and the staff inside does not seems to have that signature of officer called upon PANKAJ. The source can be checked if there are link to the company but do not click any on the email or open its attachment. You can also upload the attachment to VirusTotal for a scan too. This is likely a spam phishing email.  Spoofed sender  if you totally have no engagement  with this company ..

first to reply, complete and good explanation and help
Your help has saved me hundreds of hours of internet surfing.