asked on Email Header information clarification (fishing/ whaling)
Ok... I need some help clarifying details in an email header. Some one I know has been fished/whaled (which ever it is). I want to know how it was done.
A genuine email was sent from Seller@realdomain.co.uk to Client with genuine bank details for a transfer. This was followed up with a scam email requesting a change of bank details. BUT the scam email came from Seller@realdomain.co.uk...
Both seller and client domains are on 365 and have SPF records setup. So I would expect spoofing emails to be rejected.
Anyway, below is the header... I would like to understand what it says, these are some of the questions I want answered:
1. is it a spoof email or was it sent through 365 servers (there is no trace in the seller sent items, but could have been deleted)
2. It looks like the email "return" address has been setup as "seller@fakedomain.com.uk"
3. Can we tell if this was sent through a microsoft portal or outlook?
4. I can see an SPF fail on the header... does this mean the email failed its SPF check but was still allowed through?
5. What other information can be gained?
Header
Received: from DM2PR0401MB0973.namprd04.p
BN1PR0401MB0961.namprd04.p
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_
15.1.977.11 via Mailbox Transport; Tue, 21 Mar 2017 06:54:40 +0000
Received: from BY2PR04CA038.namprd04.prod
DM2PR0401MB0973.namprd04.p
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_
15.1.977.11; Tue, 21 Mar 2017 06:54:37 +0000
Received: from BN1BFFO11FD022.protection.
BY2PR04CA038.outlook.offic
SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_
Frontend Transport; Tue, 21 Mar 2017 06:54:37 +0000
Received: from servidor1.izc.com.co (67.210.244.182) by
BN1BFFO11FD022.mail.protec
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_
15.1.977.7 via Frontend Transport; Tue, 21 Mar 2017 06:54:36 +0000
Received: from [::1] (port=60930 helo=webmail.izc.com.co) by
servidor1.izc.com.co with esmtpa (Exim 4.88) (envelope-from
<seller@realdomain.co.uk>)
01:54:33 -0500
From: Sellerfirstname sellersurname <seller@realdomain.co.uk>
To: Client <clientemail1@clientdomain
CC: "clientemail2@clientdomain
Subject: PANKAJ Invoice from PIRNIA LTD - MIMOSA
Thread-Topic: PANKAJ Invoice from PIRNIA LTD - MIMOSA
Thread-Index: AQHSohADo8rq8eJWy0+/hN8XRK
Date: Tue, 21 Mar 2017 06:54:32 +0000
Message-ID: <9bb2c7197d4ae10743087238d
Reply-To: "seller@fakedomain.com"
<seller@fakedomain.com>
Content-Language: en-US
X-MS-Exchange-Organization
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
received-spf: Fail (protection.outlook.com: domain of <realdomain.co.uk>
does not designate 67.210.244.182 as permitted sender)
receiver=protection.outloo
helo=servidor1.izc.com.co;
X-Microsoft-Exchange-Diagn
Importance: high
X-Priority: 1
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="_000_9bb2c7197d4
A genuine email was sent from Seller@realdomain.co.uk to Client with genuine bank details for a transfer. This was followed up with a scam email requesting a change of bank details. BUT the scam email came from Seller@realdomain.co.uk...
Both seller and client domains are on 365 and have SPF records setup. So I would expect spoofing emails to be rejected.
Anyway, below is the header... I would like to understand what it says, these are some of the questions I want answered:
1. is it a spoof email or was it sent through 365 servers (there is no trace in the seller sent items, but could have been deleted)
2. It looks like the email "return" address has been setup as "seller@fakedomain.com.uk"
3. Can we tell if this was sent through a microsoft portal or outlook?
4. I can see an SPF fail on the header... does this mean the email failed its SPF check but was still allowed through?
5. What other information can be gained?
Header
Received: from DM2PR0401MB0973.namprd04.p
BN1PR0401MB0961.namprd04.p
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_
15.1.977.11 via Mailbox Transport; Tue, 21 Mar 2017 06:54:40 +0000
Received: from BY2PR04CA038.namprd04.prod
DM2PR0401MB0973.namprd04.p
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_
15.1.977.11; Tue, 21 Mar 2017 06:54:37 +0000
Received: from BN1BFFO11FD022.protection.
BY2PR04CA038.outlook.offic
SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_
Frontend Transport; Tue, 21 Mar 2017 06:54:37 +0000
Received: from servidor1.izc.com.co (67.210.244.182) by
BN1BFFO11FD022.mail.protec
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_
15.1.977.7 via Frontend Transport; Tue, 21 Mar 2017 06:54:36 +0000
Received: from [::1] (port=60930 helo=webmail.izc.com.co) by
servidor1.izc.com.co with esmtpa (Exim 4.88) (envelope-from
<seller@realdomain.co.uk>)
01:54:33 -0500
From: Sellerfirstname sellersurname <seller@realdomain.co.uk>
To: Client <clientemail1@clientdomain
CC: "clientemail2@clientdomain
Subject: PANKAJ Invoice from PIRNIA LTD - MIMOSA
Thread-Topic: PANKAJ Invoice from PIRNIA LTD - MIMOSA
Thread-Index: AQHSohADo8rq8eJWy0+/hN8XRK
Date: Tue, 21 Mar 2017 06:54:32 +0000
Message-ID: <9bb2c7197d4ae10743087238d
Reply-To: "seller@fakedomain.com"
<seller@fakedomain.com>
Content-Language: en-US
X-MS-Exchange-Organization
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
received-spf: Fail (protection.outlook.com: domain of <realdomain.co.uk>
does not designate 67.210.244.182 as permitted sender)
receiver=protection.outloo
helo=servidor1.izc.com.co;
X-Microsoft-Exchange-Diagn
Importance: high
X-Priority: 1
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="_000_9bb2c7197d4
Digital ForensicsAntiSpam
Last Comment
sfabs
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Try the online header parser - https://mxtoolbox.com/Public/Tools/EmailHeaders.aspx?huid=441d5f33-7f91-4e79-b617-3575797f6d7f
The outlook.com does not designate domain of <realdomain.co.uk> 67.210.244.182 as permitted sender)
You can also try to acertain any red flags besides the SPF check on the company (PIRNIA LTD) as it is supposed to have agents involved in the sale of textiles, clothing, fur, footwear and leather goods. So far, it is a small company and the staff inside does not seems to have that signature of officer called upon PANKAJ. The source can be checked if there are link to the company but do not click any on the email or open its attachment. You can also upload the attachment to VirusTotal for a scan too. This is likely a spam phishing email. Spoofed sender if you totally have no engagement with this company ..
The outlook.com does not designate domain of <realdomain.co.uk> 67.210.244.182 as permitted sender)
You can also try to acertain any red flags besides the SPF check on the company (PIRNIA LTD) as it is supposed to have agents involved in the sale of textiles, clothing, fur, footwear and leather goods. So far, it is a small company and the staff inside does not seems to have that signature of officer called upon PANKAJ. The source can be checked if there are link to the company but do not click any on the email or open its attachment. You can also upload the attachment to VirusTotal for a scan too. This is likely a spam phishing email. Spoofed sender if you totally have no engagement with this company ..
ASKER
first to reply, complete and good explanation and help
2. Fake return address was created by sender
3.
4. SPF is a mark of spam, but server administrator make desicion what to do with such messages.
It is a usual fake email. You should remember that SMTP protocol allow to fake sender.