troubleshooting Question

Email Header information clarification (fishing/ whaling)

Avatar of sfabs
sfabsFlag for United Kingdom of Great Britain and Northern Ireland asked on
Digital ForensicsAntiSpam
4 Comments1 Solution390 ViewsLast Modified:
Ok... I need some help clarifying details in an email header. Some one I know has been fished/whaled (which ever it is). I want to know how it was done.
A genuine email was sent from Seller@realdomain.co.uk to Client with genuine bank details for a transfer. This was followed up with a scam email requesting a change of bank details. BUT the scam email came from Seller@realdomain.co.uk... (I am trying to find out if the seller@realdomain.co.uk was hacked)

Both seller and client domains are on 365 and have SPF records setup. So I would expect spoofing emails to be rejected.

Anyway, below is the header... I would like to understand what it says, these are some of the questions I want answered:
1. is it a spoof email or was it sent through 365 servers (there is no trace in the seller sent items, but could have been deleted)
2. It looks like the email "return" address has been setup as "seller@fakedomain.com.uk" to ensure replies do not reach "seller@realdomain.co.uk" and alert the seller of the scam. I didn't think it was possible with 365 to modify the return address?
3. Can we tell if this was sent through a microsoft portal or outlook?
4. I can see an SPF fail on the header... does this mean the email failed its SPF check but was still allowed through?
5. What other information can be gained?

Header
Received: from DM2PR0401MB0973.namprd04.prod.outlook.com (10.160.98.139) by
 BN1PR0401MB0961.namprd04.prod.outlook.com (10.160.79.12) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id
 15.1.977.11 via Mailbox Transport; Tue, 21 Mar 2017 06:54:40 +0000
Received: from BY2PR04CA038.namprd04.prod.outlook.com (10.141.249.156) by
 DM2PR0401MB0973.namprd04.prod.outlook.com (10.160.98.139) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id
 15.1.977.11; Tue, 21 Mar 2017 06:54:37 +0000
Received: from BN1BFFO11FD022.protection.gbl (2a01:111:f400:7c10::1:166) by
 BY2PR04CA038.outlook.office365.com (2a01:111:e400:2c5e::28) with Microsoft
 SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.977.11 via
 Frontend Transport; Tue, 21 Mar 2017 06:54:37 +0000
Received: from servidor1.izc.com.co (67.210.244.182) by
 BN1BFFO11FD022.mail.protection.outlook.com (10.58.144.85) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id
 15.1.977.7 via Frontend Transport; Tue, 21 Mar 2017 06:54:36 +0000
Received: from [::1] (port=60930 helo=webmail.izc.com.co)      by
 servidor1.izc.com.co with esmtpa (Exim 4.88)      (envelope-from
 <seller@realdomain.co.uk>)      id 1cqDgf-00055N-Ny; Tue, 21 Mar 2017
 01:54:33 -0500
From: Sellerfirstname sellersurname <seller@realdomain.co.uk>
To: Client <clientemail1@clientdomain.com>
CC: "clientemail2@clientdomain.com" <clientemail3@clientdomain.com>
Subject: PANKAJ Invoice from PIRNIA LTD - MIMOSA
Thread-Topic: PANKAJ Invoice from PIRNIA LTD - MIMOSA
Thread-Index: AQHSohADo8rq8eJWy0+/hN8XRKu0lw==
Date: Tue, 21 Mar 2017 06:54:32 +0000
Message-ID: <9bb2c7197d4ae10743087238d09ce93b@realdomain.co.uk>
Reply-To: "seller@fakedomain.com"
      <seller@fakedomain.com>
Content-Language: en-US
X-MS-Exchange-Organization-AuthSource: BN1BFFO11FD022.protection.gbl
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
received-spf: Fail (protection.outlook.com: domain of <realdomain.co.uk>
 does not designate 67.210.244.182 as permitted sender)
 receiver=protection.outlook.com; client-ip=67.210.244.182;
 helo=servidor1.izc.com.co;
X-Microsoft-Exchange-Diagnostics: 1;BN1PR0401MB0961;27:tFhzi/2kyP2ZKRydFCV2IQMvVvYNboEGIs/QjrAzRXzfFebesfns6NnK2NoN+2zwOMtY+LhCf2VktLylYmcE28cS62cc+5jLOizk4DGZnt3V9MeQnWN/UIxNfawn+BOMw3JINrsaYxaJDyCiRGNxJA==
Importance: high
X-Priority: 1
MIME-Version: 1.0
Content-Type: multipart/alternative;
      boundary="_000_9bb2c7197d4ae10743087238d09ce93brealdomaincouk_"
ASKER CERTIFIED SOLUTION
Rajul Raj
Information Security Officer

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Join our community to see this answer!
Unlock 1 Answer and 4 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 4 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros