Link to home
Start Free TrialLog in
Avatar of eganders
egandersFlag for United States of America

asked on

Scam? Received email from unknown external person. Email body immediately re-mailed this time by recipient as sender.

I need some help tracking down this problem.

Bob's office has an UTM with email filtering, good commercial next gen anti-malware, Exchange 2016, Windows Server 2016, current Outlook, Windows 10 computers.  Everything is fully patched and up to date.

The below email was received by "Bob" at his office in California.  The email's IP indicated it came from Korea.  Bob's firm does not do any business in Korea.

The scary part. Within seconds after said email was received by Bob's email account, an email was sent outbound to another recipient, this time with Bob as the sender, and being sent to Fred, as shown near the bottom of the email.  So it seems like this was programmed to happen this way.

Notice the lower part of the email where the "E:" and "A:" are located. I don't recognize the scripting or programming, but maybe someone could help identify how this works in Outlook, or is it a red herring?

We've been scanning, looking for similar emails, all sorts of things.

Any ideas?  Is there malware on Bob's computer, or is just something you can do with Outlook if something isn't disabled, and you know enough?  Anything you'd suggest we check.  Anyone recognize this set of symptoms, etc.

We do have the Exchange logs and the Firewall logs.  We can see where the messages come and go.

Help!

Begin Email (Names changed to protect the innocent):
From: dozo <sozhjiaslfjs@hotmail.com>
Sent: Monday, July 22, 2021 2:07 AM
To: Bob Smith
Subject: *SPAM* Steel supplier
 
Hello bob,
I hope you're well.
We supply steel.
So if you need this. please let me know.thanks.
For more information, please contact us.
Best regards
Fred
E:Fred[ at] steelstuff.***com    (Delete***)
A:Wu sha Industrial Zone,Changan Town,Dongguan City,Guangdong,China.
If you are not the right person then could you forward this email?Many thanks!
Note: - If you are not interested then you can reply with a simple \"NO\",We will never contact you again.  

This e-mail is intended for the use of the addressee(s) only and may contain privileged, confidential, or proprietary information that is exempt from disclosure under law. If you have received this message in error, please inform us promptly by reply e-mail, then delete the e-mail and destroy any printed copy. Thank you.



Avatar of David Favor
David Favor
Flag of United States of America image

1) To block the incoming email increase strictness of your incoming IPrev/SPF/DKIM settings, which will almost surely block this email for submission into your MTA.

2) The scary part. Within seconds after said email was received by Bob's email account, an email was sent outbound to another recipient, this time with Bob as the sender, and being sent to Fred, as shown near the bottom of the email.  So it seems like this was programmed to happen this way.

This is meaningless.

I can send an email with "Bob@foo.com as the sender".

a) If I do this then the email I send will be blocked for submission, if I have correct foo.com DNS records setup, including DMARC policy=reject.

b) If this email originates from Bob's machine, this means Windows has been hacked + a full cleanse is required.
Avatar of Dr. Klahn
Dr. Klahn

What David said is good and useful.  Heed his words.  To that I would add:

... Bob's firm does not do any business in Korea. ...

If Bob's firm does not do business in Korea, then it should not be accepting emails from there.  Install geoIP filtering at their firewall and reject everything from APNIC -- email, web, SSH, every single port -- except those countries where business is done.
ASKER CERTIFIED SOLUTION
Avatar of arnold
arnold
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of eganders

ASKER

Thanks for helping David Favor, Dr. Klahn and Arnold.

I didn't spell out all the things I should have, so my generous respondents didn't know what I knew.  Totally my bad.

My comment about the of the outbound message was that the turnaround was immediate, thus implying an automated, rather than human, response process.  It wasn't a reference to whether or not a domain name could be spoofed.

SPF and DKIM were already in place and functional.

They did have GeoIP running, and most of the world has been disallowed for a long time.  However, in this instance, (South) Korea is allowed because the company with the issue runs a messaging app from there.  I unfortunately was thinking about the term "business" as in sales or purchasing from SK, which the company doesn't do.

I had made copies of the email source and went over it carefully.  And the local Exchange Server does require authentication to send, as does the UTM. The outbound msg did come from Bob's email.  And the message trace verified that pathing as well.

It turns out the client did have auto image retrieval and all related allowances enabled.. Not sure when that happened, but they're now all disabled and the end user admonished.  Hopefully problem solved.

The aitomation deals with outlook processing, ir a JavaScript code inthe email ..

Without knowing what was sent, could it have been a return receipt?

Message trace should provide a clue based on message size.

Source of message, external referrals to images?

Does the user, Bob, have a copy of the outgoing message in their sent items folder?