A reader of this blog sent me this email that he thought was a scam email:
Now a bunch of things make this scam email very convincing:
The email address that this was sent from appears to come from Microsoft.
If you click on the “Go To Microsoft 365 Admin Center”, it actually takes you to the real Microsoft 365 Admin Center.
The look and feel of the email is very much like one that Microsoft would send.
The only thing that gave it away in terms of being a scam is that there is a phone number for a support helpline. Microsoft does not have any phone support.
So what this means is that this is likely a refund scam. Meaning that threat actors send out emails claiming that you’ve been billed for a product or service to thousands of people hoping that some will call in. At that point the threat actors will connect to their computer and try to steal as much money as they can.
What intrigued me is how were the threat actors able to get this email to hit this reader’s inbox. I asked the reader for the email header as any email that you send has information that details its path from end to end along with other information that would be useful to an email server in terms of determining if an email is spam or something like that.
Thus in an effort to illustrate what’s going on here, here’s the full headers that I received with some information redacted:
Delivered-To: REDACTED Received: by 2002:a17:504:3f94:b0:1bfe:977f:4147 with SMTP id g20csp1188908njn; Fri, 16 Aug 2024 06:43:30 -0700 (PDT) X-Forwarded-Encrypted: i=7; AJvYcCV81SM/CRIsstE+ArzN39KoZ2oigx7zrrZ3+m8LcY0IHa8JHgHjidVCkJMvWWgc3bLi9abUQ9NE1KZNlZYTgvg= X-Google-Smtp-Source: AGHT+IH23r3S25jCDA4KiCgZLcKnxrY4PqFqTc+KWz26TvPfAwn3gdXuUuwUmIlHlMeZu6BPt9gf X-Received: by 2002:a92:c261:0:b0:39b:3241:e982 with SMTP id e9e14a558f8ab-39d26d745b0mr34961605ab.25.1723815810010; Fri, 16 Aug 2024 06:43:30 -0700 (PDT) ARC-Seal: i=6; a=rsa-sha256; t=1723815809; cv=pass; d=google.com; s=arc-20160816; b=TfuSWcu4LauRnn2B2HInZaZytDUWMqMeVrDW+IA3B1AC5XpzIZogn7S12MTujPs3DB EDgIRK2QGFcIBjEICnoXtC5OuT+LKCJPVk+vjc4VzrC5qG6yLfCat5+YdFIIlJWadG5M JwrQOk/YAYrAjNDHfbfDqAKplAlTbhwmXrCr2ZMf3XgTceCHnm+QI7HaHf8AA/OFFUXI F/Uhz+x7AgGL/P9ZqwLYeOMzPDWjVzlXpNJO5D8oIifP21nU5EdYKgeryWp9UH9xQBdX HBCXqvoCO2LLJ/kmECxqA9A91L6hhXpnnn+Z0bmwPWzFBLHFFkscprpVZvj0Jc4ARGmI Q4vA== ARC-Message-Signature: i=6; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=mime-version:to:message-id:subject:date:from:dkim-signature :dkim-signature:authentication-results-original:resent-from; bh=1DRVH/p+Ncb0nmWC1EV3IUNwyNv4hoYQDPSQRvl39kg=; fh=u+4NNM9FiVktfFoWhpPOc5WraBPqVPVZz8is6x3rkA0=; b=fOYFPO+LNDgcdd4ziNW8ibjuWZUb46rsiiVAQw9a47aqIcQMvpf2tZCUlhPrONwF3e JtSPWIALpXuQN5LCkpK+1+IjTf2pvlE/fidSYyxN6IZ4t/xp0KucMQaSAC0bGuUWcNZ5 xj+YpqPRcDPuyNDIpotxI/6xdSQp088EYf0CoEV3Ei9Ot/d3i0z4IyHR6CMeyGRqi8JR 0m23FRK/PybVME5TjpxAQikH3/yt3v/yAGGYp+y20agpYpJf3z88hPGSDflrc5+/06zj sW22lg3r0OwwQ52vJ6BUFg1BVxIdW/RzeSkuvcNAMUlP5m7p6yAwxyvw/jQGL89A3G0A WTSA==; dara=google.com ARC-Authentication-Results: i=6; mx.google.com; dkim=pass header.i=@microsoft.com header.s=selector2 header.b=V0jLNQ7L; dkim=pass header.i=@microsoft.com header.s=s1024-meo header.b=UBZKKpiY; arc=pass (i=5 spf=pass spfdomain=merchantsales.onmicrosoft.com dkim=pass dkdomain=microsoft.com dkim=pass dkdomain=microsoft.com dmarc=pass fromdomain=microsoft.com); spf=pass (google.com: domain of bounces+srs=yjgow=pp@netorgft13999698.onmicrosoft.com designates 2a01:111:f403:2415::724 as permitted sender) smtp.mailfrom="bounces+SRS=yjgOw=PP@netorgft13999698.onmicrosoft.com"; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=microsoft.com Return-Path: <bounces+SRS=yjgOw=PP@netorgft13999698.onmicrosoft.com> Received: from NAM11-DM6-obe.outbound.protection.outlook.com (mail-dm6nam11on20724.outbound.protection.outlook.com. [2a01:111:f403:2415::724]) by mx.google.com with ESMTPS id 41be03b00d2f7-7c6b636fff7si3568330a12.599.2024.08.16.06.43.29 for <REDACTED> (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 16 Aug 2024 06:43:29 -0700 (PDT) Received-SPF: pass (google.com: domain of bounces+srs=yjgow=pp@netorgft13999698.onmicrosoft.com designates 2a01:111:f403:2415::724 as permitted sender) client-ip=2a01:111:f403:2415::724; Authentication-Results: mx.google.com; dkim=pass header.i=@microsoft.com header.s=selector2 header.b=V0jLNQ7L; dkim=pass header.i=@microsoft.com header.s=s1024-meo header.b=UBZKKpiY; arc=pass (i=5 spf=pass spfdomain=merchantsales.onmicrosoft.com dkim=pass dkdomain=microsoft.com dkim=pass dkdomain=microsoft.com dmarc=pass fromdomain=microsoft.com); spf=pass (google.com: domain of bounces+srs=yjgow=pp@netorgft13999698.onmicrosoft.com designates 2a01:111:f403:2415::724 as permitted sender) smtp.mailfrom="bounces+SRS=yjgOw=PP@netorgft13999698.onmicrosoft.com"; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=microsoft.com ARC-Seal: i=5; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=pass; b=Ji0CyJSU2sA3+SpLxEZlkgamoXDki55de/cEK9H75PDf/IzMNo28o7SlxBAcxWydkvqnmHecf02ksBav3pTHx7BQwMCdUtXqFVXu1gqUWMr+aD0DAD3I+YvolOdpnFltIlZM4P59AYRCW1QFgTRgMBbN1E+FOl/Eg16yPjnCCI9jKLabr8cDxoXpNIxhv4dPaiZ30YnE4ur6m5wP7y8Lvkn29G14L+X9bVjGjP6S/btJWxk/K9fAr1b9zzoL8MdrzVc8FHmJwT4aAeJRJ/sHC87kQ+SHlENzETQ9AP26yBD3f2DlmJi/ZqUMdJxZBCi7XoYjdLw/GE4otr2UBaTJLQ== ARC-Message-Signature: i=5; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=1DRVH/p+Ncb0nmWC1EV3IUNwyNv4hoYQDPSQRvl39kg=; b=d8TPu7A2Hu2WXRveGLV3o5pIZ3eBrghj/xxi6j9f7nRO5yJGW3WvJCyPX/yMmBGYzpTApu3VkL1lFsHmtSt7SbCOOr0Q2Kmovlz2XPpUJ2Os1dMLdnhse785WQ6Ii4tCEcccjg8OPm61meRW86Gn5btBjD2uqe7Yu8BtJbKWX4qnb8MXD/YAL+x6ACQzoluy89RBSLKlADSSQ3M7ayQKIPvaxkbVrAezUHA7xiezIskXdcG5zUIL07vf7PdBOqvrXV6vuCNuGw1ma8gqPhpy4v3Ejy8ZPBVmHc8mHN27URCPotDU3lx8nn+swDvDpSXRdUv0+KOl+X8D+4JTZJ0hJg== ARC-Authentication-Results: i=5; mx.microsoft.com 1; spf=pass (sender ip is 40.107.237.100) smtp.rcpttodomain=trendequity.org smtp.mailfrom=merchantsales.onmicrosoft.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=microsoft.com; dkim=pass (signature was verified) header.d=microsoft.com; dkim=pass (signature was verified) header.d=microsoft.com; arc=pass (0 oda=1 ltdi=1 spf=[1,3,smtp.mailfrom=microsoft.com] dkim=[1,3,header.d=microsoft.com] dmarc=[1,3,header.from=microsoft.com]) Received: from CH0PR11MB8190.namprd11.prod.outlook.com (2603:10b6:610:188::5) by PH8PR11MB6976.namprd11.prod.outlook.com (2603:10b6:510:223::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7875.19; Fri, 16 Aug 2024 13:43:21 +0000 Received: from DM6PR11MB4187.namprd11.prod.outlook.com (2603:10b6:5:19e::32) by CH0PR11MB8190.namprd11.prod.outlook.com (2603:10b6:610:188::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7875.20; Fri, 16 Aug 2024 13:43:18 +0000 Received: from DM6PR11MB4187.namprd11.prod.outlook.com ([fe80::e455:f44c:3b7e:8ea2]) by DM6PR11MB4187.namprd11.prod.outlook.com ([fe80::e455:f44c:3b7e:8ea2%6]) with mapi id 15.20.7875.016; Fri, 16 Aug 2024 13:43:18 +0000 ARC-Seal: i=4; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=pass; b=IyivTBoWjDP5+EzGuqcuiDvrPTg2W3eAad7T3RaNS1BeMpjj1ISfpO767jFhJo+hFSm3gtQR+5zgsS14eMw0cVplcYkrfv0jsPu8ZqfGJfFfnJM2WDZEDg6BCdos+wZDt3Vy5CRD0enXrpFb3YpI84pqw501bdCC7arcZDKU5Cfm/340RqOsA1D7QKLlCrEzEcR2IAricypAEehKx8W/yeKLvYcl0EqnhioY6ltQXxBr1NEp7fFQBzCyKHgSU3jijWoPewIH4b3UbE1nKaSNRJDJyE/+p9uKofj5l9JSeV0QtqHQvB1plXxSG2wJ3d19tSOcx6NQsrOdQM5y6X+CIA== ARC-Message-Signature: i=4; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=1DRVH/p+Ncb0nmWC1EV3IUNwyNv4hoYQDPSQRvl39kg=; b=r5Ds9OwJEG1UyAqy6AQhqBmivg51YDYg+BbHZKDecD+rC7FQ9Kq+r1qhZeZy+QIZRHu2oupl/7MS4XcU4gcwxujf4EQ8H97Jue0jBqoPEv5jkIly+pUWV+zL4siAsgx8SpFldBSfM1NM0Y/MEKT80baOqTx1vMAKTg22zvd/Q4jKy4aLv94b0HLpUytUjTY74XrN1yMm2ePX+GoW32v7KQqu0QCncH8Pjp1LXPu+3SkyKPAETkngi5HAYwbkkqLJkPjgxun+IoRfVhqvDRmhPe4co89+fRCWBfXsCez44KZ2Oscvx0ummBbDHm2uDW81DI7ukZ9JNXT+RmomXGe8qg== ARC-Authentication-Results: i=4; mx.microsoft.com 1; spf=pass (sender ip is 40.107.237.100) smtp.rcpttodomain=trendequity.org smtp.mailfrom=merchantsales.onmicrosoft.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=microsoft.com; dkim=pass (signature was verified) header.d=microsoft.com; dkim=pass (signature was verified) header.d=microsoft.com; arc=pass (0 oda=1 ltdi=1 spf=[1,3,smtp.mailfrom=microsoft.com] dkim=[1,3,header.d=microsoft.com] dmarc=[1,3,header.from=microsoft.com]) Received: from BYAPR11CA0083.namprd11.prod.outlook.com (2603:10b6:a03:f4::24) by DM4PR11MB6360.namprd11.prod.outlook.com (2603:10b6:8:bd::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7875.20; Fri, 16 Aug 2024 13:36:58 +0000 Received: from SJ1PEPF000023D8.namprd21.prod.outlook.com (2603:10b6:a03:f4:cafe::54) by BYAPR11CA0083.outlook.office365.com (2603:10b6:a03:f4::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7828.33 via Frontend Transport; Fri, 16 Aug 2024 13:36:58 +0000 Authentication-Results: spf=pass (sender IP is 40.107.237.100) smtp.mailfrom=merchantsales.onmicrosoft.com; dkim=pass (signature was verified) header.d=microsoft.com;dmarc=pass action=none header.from=microsoft.com; Received-SPF: Pass (protection.outlook.com: domain of merchantsales.onmicrosoft.com designates 40.107.237.100 as permitted sender) receiver=protection.outlook.com; client-ip=40.107.237.100; helo=NAM12-BN8-obe.outbound.protection.outlook.com; pr=C Received: from NAM12-BN8-obe.outbound.protection.outlook.com (40.107.237.100) by SJ1PEPF000023D8.mail.protection.outlook.com (10.167.244.73) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7897.4 via Frontend Transport; Fri, 16 Aug 2024 13:36:57 +0000 ARC-Seal: i=3; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=pass; b=isJzNOZrZwA7Xr5bxG0qOy4ivJq/v9mA7WtOqMOZHPzIxIoTd5pxuMC/Lq36JLVhzEJG5EBz4e7NsuCjguzlN0t2ylLhmS4f8AiLe2mHJ61ynJ28A7ivXe0MEfkG9F6WokjNOH/1nKKiYxETfoQJAk60uND6oT9AcY+QkIKafmyo7q6jiQc08VRSuTjQc0l8wAH1MswjQeNeKY2gvTvMkkMGInT2pxJ2guGgRZ9UTRgofPYvuuCSDZAkCjUQ7oM7cqtyoG4V4gK00Bg6PR1kq7awWmci6NQ03QMXa96H7aiygnMxQph4kL4dKbQqrBJu1Keqsiyi7I72D7sV73gkIA== ARC-Message-Signature: i=3; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=1DRVH/p+Ncb0nmWC1EV3IUNwyNv4hoYQDPSQRvl39kg=; b=JLGf+Jw4DoZkWn07nHEf4c/xF0JjA6mtEGPc1F4Q8k44xFoHkTwIaXbMFF5DaLK4EaEOcURD+VsGwaSS19D0Y89om1l4ICzOntk6O0D6+UZG4lN5M15SUYwTS1EAsdXIgcLf8zChpu83TzjmDnozAZznzOZU5KEXp/bkocEBc5L3zlYjBaULkXltR2VJT9p4eRMW3K4bqERT0TZ5CZD4im3/4GiftPTsfx99l1Jav9teubV14MvOEywvxlmjugLIQAjz1HiphAep/RxAG5DIxCzXZUgJAHkC/beSDqYNG585/ObL/LEB40wOwQmUeg0PNtr4JJQycULGEkYxHhEIPw== ARC-Authentication-Results: i=3; mx.microsoft.com 1; spf=pass (sender ip is 52.101.61.136) smtp.rcpttodomain=merchantsales.onmicrosoft.com smtp.mailfrom=microsoft.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=microsoft.com; dkim=pass (signature was verified) header.d=microsoft.com; dkim=pass (signature was verified) header.d=microsoft.com; arc=pass (0 oda=1 ltdi=1 spf=[1,1,smtp.mailfrom=microsoft.com] dkim=[1,1,header.d=microsoft.com] dmarc=[1,1,header.from=microsoft.com]) Resent-From: <notification@merchantsales.onmicrosoft.com> ARC-Seal: i=2; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=pass; b=DRrt4WaGKyoiMML6eb3SUwKLOq08R8bGVYB/L0QVlm3wcdm1XF/iQrj/RUS7YLnKlbIg0GH3KQNtpyOOzQnrCfm1mwbufpgpEcbjvFjEqAEtzzOU4V9ypfzuQEVEm7Cc78qZfdzJ50Hd8LgyA5vzscQFOJ8J1FQnb/S4M4AyVuhTYAtw8LFASe6GrJM82xQNWucTz82hmjBX1BONDgxYeeqVSBb6A+kmbj3M+5wcdQqXoZN5TC7R/cxuqZ40rCBYz2vz6+s74Z1X+SzYJnwZ21MDocRRX7fQhBwHwsdUKtckZMdk8UAdW5qjaDogoZzdTyI59J91KzvKD+gdfJn2Ug== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=1DRVH/p+Ncb0nmWC1EV3IUNwyNv4hoYQDPSQRvl39kg=; b=g44v04/jeUniwLVld3n/6yh2nL45f+/OxI7yaXQedI85nRqtFrffhDNyMDl5Cj940rCVZZdViy0T9NosHJB9X4FGMV5g8NmrDoRwMCQIqunPNtG55KFuDGxAJscrZQcns/2zuiqgl1aq7Ei0g977GG8XQa9fivDMY8f+VNpeNCEID2ibd6YyXsOrH/Okb5OoGqr8BmXLzZorgM52sf3YJwluPUab7pLsxJOGZff+u4PoVhlJ+BFPKXJgC7cy6VRbJs3AIM2u6w/rWwfz4x0Tanp1Uy+AOKI+suaK6wSt2atjMAhMF6NbxsdmmriB8qikoDybhtNZb4SkX0/Ea85Vyg== ARC-Authentication-Results: i=2; mx.microsoft.com 1; spf=pass (sender ip is 52.101.61.136) smtp.rcpttodomain=merchantsales.onmicrosoft.com smtp.mailfrom=microsoft.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=microsoft.com; dkim=pass (signature was verified) header.d=microsoft.com; dkim=pass (signature was verified) header.d=microsoft.com; arc=pass (0 oda=1 ltdi=1 spf=[1,1,smtp.mailfrom=microsoft.com] dkim=[1,1,header.d=microsoft.com] dmarc=[1,1,header.from=microsoft.com]) Received: from PH7P220CA0015.NAMP220.PROD.OUTLOOK.COM (2603:10b6:510:326::20) by PH7PR22MB5062.namprd22.prod.outlook.com (2603:10b6:510:312::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7875.18; Fri, 16 Aug 2024 13:36:51 +0000 Received: from MWH0EPF000A6733.namprd04.prod.outlook.com (2603:10b6:510:326:cafe::2) by PH7P220CA0015.outlook.office365.com (2603:10b6:510:326::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7875.19 via Frontend Transport; Fri, 16 Aug 2024 13:36:51 +0000 Authentication-Results-Original: spf=pass (sender IP is 52.101.61.136) smtp.mailfrom=microsoft.com; dkim=pass (signature was verified) header.d=microsoft.com;dkim=pass (signature was verified) header.d=microsoft.com;dmarc=pass action=none header.from=microsoft.com; Received-SPF: Pass (protection.outlook.com: domain of microsoft.com designates 52.101.61.136 as permitted sender) receiver=protection.outlook.com; client-ip=52.101.61.136; helo=DM1PR04CU001.outbound.protection.outlook.com; pr=C Received: from DM1PR04CU001.outbound.protection.outlook.com (52.101.61.136) by MWH0EPF000A6733.mail.protection.outlook.com (10.167.249.25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7849.8 via Frontend Transport; Fri, 16 Aug 2024 13:36:51 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=AvyM0FlxgT9SVxijT8tW0np3V9uiRpjFfHotFChyp9BMlncIf4Hl00T9mxKzXH56MByamyvAnJ5GBhvaHhoYHr+j04+w6DCt0gxFHptIuYoVa5b89ZPtcrrhukV3WQ1eJJ9pR+C26Ud7xzLBtR/fq0lJXBLVLexID8Cza0nFJoYej2fgA/2QL7mpU6chmw8D3+CLBRGO7IXVh6jTuD2U8Ls20N+gtQCu+siwP2AAw0O+zkbn9Y0bwFWz382Z/Jy5SB0VQhfdBatnM6eTQu+0uHe+SryGxVpDbtA7xKPLaYl/Cy45tGXiNLFGiP/1YWF4krqSrNz6JZblYIjl/zYFfg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=1DRVH/p+Ncb0nmWC1EV3IUNwyNv4hoYQDPSQRvl39kg=; b=sWSleCpJwWIGLaz4N9y0Lthfugbg4WYoWQibVxI9g4yb++6KOYO97mXz3VMgHcwBPKL7i6yEg4UQH7EpJrpFYSprjtZ//3gqrP0nNZuWaWGN8br09mqbUz0hIViKQhuNBlCEEBYspyV9b8ZE1JGGipETP6qKqkpEGulu3iId0sFAYcIddJQxyW7UkArwNdPVarRVhZ643HbWPuiEYgSXemcsxmkoH5CHPBZ6rv7/cAw/sbwKdoBI2W/Bj6GzjKRNHhP2Fzkaz31XNjNAYBgOKY5Od6zfSYe+pKAfPOp/EUYm3O1lQoKsOuIVY1jW4VfsoJXSvgz8yvVQpPFARzwXRw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 20.97.34.221) smtp.rcpttodomain=merchantsales.onmicrosoft.com smtp.mailfrom=microsoft.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=microsoft.com; dkim=pass (signature was verified) header.d=microsoft.com; arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=1DRVH/p+Ncb0nmWC1EV3IUNwyNv4hoYQDPSQRvl39kg=; b=V0jLNQ7LkoODwqICDAY2ZF7ia+g4glgQr9DQ/TKgmcnmgTnE8sMj3avExUXePg15WGgI4HgfXMM8hiBb4ic7GGY8cOyVkf82RqWoKsj8gu39myRpIeKtZORbvek4N0BOv1TufeYdn3oLUVvywhkFojX4KTesm0ALLhDzCBpZzpI= Received: from CH0PR04CA0113.namprd04.prod.outlook.com (2603:10b6:610:75::28) by DM4PR21MB3345.namprd21.prod.outlook.com (2603:10b6:8:6b::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7897.11; Fri, 16 Aug 2024 13:36:46 +0000 Received: from CH2PEPF00000144.namprd02.prod.outlook.com (2603:10b6:610:75:cafe::b4) by CH0PR04CA0113.outlook.office365.com (2603:10b6:610:75::28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7849.23 via Frontend Transport; Fri, 16 Aug 2024 13:36:46 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 20.97.34.221) smtp.mailfrom=microsoft.com; dkim=pass (signature was verified) header.d=microsoft.com;dmarc=pass action=none header.from=microsoft.com; Received-SPF: Pass (protection.outlook.com: domain of microsoft.com designates 20.97.34.221 as permitted sender) receiver=protection.outlook.com; client-ip=20.97.34.221; helo=mail-nam-cu04-sn.southcentralus.cloudapp.azure.com; pr=C Received: from mail-nam-cu04-sn.southcentralus.cloudapp.azure.com (20.97.34.221) by CH2PEPF00000144.mail.protection.outlook.com (10.167.244.101) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.7849.8 via Frontend Transport; Fri, 16 Aug 2024 13:36:45 +0000 DKIM-Signature: v=1; a=rsa-sha256; d=microsoft.com; s=s1024-meo; c=relaxed/relaxed; i=microsoft-noreply@microsoft.com; t=1723815405; h=from:subject:date:message-id:to:mime-version:content-type; bh=1DRVH/p+Ncb0nmWC1EV3IUNwyNv4hoYQDPSQRvl39kg=; b=UBZKKpiYDf2p/KxxPFGwvnXMRjaNpMAU2QLNOgp/jX2IL6YC9/C+iC9TOKPNzv6ZMZ/VbQT8FSu OTbgm3nlE2Z4QNDEVPhg0dtlxEIq0ekPNMunTXNMKbvCmOEbsTwfCwyCcK5bXUiqMiX/qmBo+I/jY 2S6RuDg7SlC/vbvAfNU= From: Microsoft <microsoft-noreply@microsoft.com> Date: Fri, 16 Aug 2024 13:36:45 +0000 Subject: Your Microsoft order on August 16, 2024 Message-ID: <1f146af7-4393-4815-958b-64498d68a06f@az.southcentralus.microsoft.com> To: notification@merchantsales.onmicrosoft.com MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="=-QmAKbw7keMAjIz55DOIJ/Q==" Return-Path: reply+SRS=Vuioy=PP=microsoft.com=azure-noreply@merchantsales.onmicrosoft.com X-EOPAttributedMessage: 2 X-MS-TrafficTypeDiagnostic: CH2PEPF00000144:EE_|DM4PR21MB3345:EE_|MWH0EPF000A6733:EE_|PH7PR22MB5062:EE_|SJ1PEPF000023D8:EE_|DM4PR11MB6360:EE_|CH0PR11MB8190:EE_|PH8PR11MB6976:EE_ X-MS-Office365-Filtering-Correlation-Id: 75dbd73f-d123-4351-d9a3-08dcbdf88006 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam-Untrusted: BCL:0;ARA:13230040|240411011799012|36860700013|69100299015|376014|82310400026|1800799024|36002699022; X-Microsoft-Antispam-Message-Info-Original: X7O+VKtnAGxSUxUJT3g+8GXKOWyRASZFTRv8T75FA+rkgVX8GpH5jnwaIOFWMr15esuql8JQhn/H2xixXEbEZWhtFmmrCJEHnz09rpWWlgwCChijJTZKq7U5pMBKCLrYqtZdxMQW+3lJK4iGR8pcyAzG2gn3uDeNAeLREJW7RmN/++UPcS0TNWIKxkWCpg7mpaUEmMPN931KiC0cbYH7Wq8WbAl3eUpSoZqG8jhHxm7lpfaADJZcLN/Yu/l5EL4gjElyizRL8H8ryFDXIkGgrARhq8NOez4ur7K7MkezZ/7g+/0QtZNeZi0Q6QSgD1RH+15Fk5KPMGdv0N2sagaxw2jXSaLyjX1IvE+lIR6RG4dPboGl3gSOsE5URGNQ9c74gY+gwLK3wOZKEWpRGtf34k+4ATDPP/q4RNK8KxUDGlMyHZ4gwq/R6LFb8lNyvyB164lXQjYbpAZaxf2OFgrldw6wqqnemUNxVpxhDeL7Z7NOCCEVD0kUF+nkdwoeReUZwJhG5BzJwrn2L7lMxSZOtuHAVawEWkxOmmnAHci+an5uAT1eCQFY0ZY3AXRdf5lc3AS61ati0GxQd5smS6KIsisyer5tUyclV2IIecLSw4sXawcveRlrgmtLZKNyBlvxetndu5ISF4dGiNpZA8JfiKSlm+xsHgp5SX74j/v/uQt1sZPK8+6srdJFBCxtsSCIcFm28SjeuaNL5xQjvUWx68KMQMhtGldEnaEdZIhFf9KVkfuqCqzv793IDPi9JHFTILvpXmEabigWnwTNMa7+HC12pLCjXEEP0lvr8rPFm9LTM29Ccg9IRP6FdnD3yYUin4r334spxLnp4MhfqDiGj+BtVtiCcajz2mKJ+BRctNOWeLoe6Q0TB5rljqcb0slk6yTbxXQGxogPXivoZFsMVT1t9nva+xybM6RsRxajvYdVxvQ/GVxbb3uclZSNZudbN63m/iKO7fPZxEEnXi3HesaMm4XH7ZKGYlxruCRHx3umVW2FaiKZ/pidYYworh2IdTXjUbdGhsx2N5E4DycQWmuHB2GqTO12xCVC1sj5X+vrcJDWK92ayoLlADSIj35BbjzxHa6nWN46+Gghdg/p4e2yj33hSC1kVVC5fMx2WuCJTtVHLGo29VBguIxwW35wTuCXkdAxmdRctApmcw7NRZhkmF+uUkN9rBh4cCUzLDbUJ41lKPpb5j2DJvmatcvGpl6eFa5jMi8AD7WDTWqBE7HBcy9f74Easlf6fAPtp9ULETPMf0t2fyrTxYfdvudxWQRyvFeAAQGJH9/hgwEpCdaDMDvLw/nH/1v6JIEKBaSvpqNDxI5rcf4jzfQSZ01l8MrhwR10nNqIJuM92nAMJgCs5LnuVc5tQNmQ+U9z/+RLcKg/ch5noRf53H8i+0+HeS1DTzjZFDrTFnJG+uHRZmSOxxXIjSwCvJla8o7/Ey0= X-Forefront-Antispam-Report-Untrusted: CIP:20.97.34.221;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail-nam-cu04-sn.southcentralus.cloudapp.azure.com;PTR:mail-nam-cu04-sn.southcentralus.cloudapp.azure.com;CAT:NONE;SFS:(13230040)(240411011799012)(36860700013)(69100299015)(376014)(82310400026)(1800799024)(36002699022);DIR:OUT;SFP:1102; X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM4PR21MB3345 X-MS-Exchange-Transport-CrossTenantHeadersStripped: MWH0EPF000A6733.namprd04.prod.outlook.com X-MS-Exchange-Transport-CrossTenantHeadersPromoted: MWH0EPF000A6733.namprd04.prod.outlook.com X-MS-Office365-Filtering-Correlation-Id-Prvs: 5c556704-ff26-4c12-336c-08dcbdf87910 X-LD-Processed: 229e6f25-d8cf-4d00-bedf-3f6513ec3f0b,ExtAddr,ExtFwd X-Microsoft-Antispam-Untrusted: BCL:0;ARA:13230040|34036016|586017|7416014|376014|35042699022|48200799018|61400799027|69100299015; X-Microsoft-Antispam-Message-Info-Original: 7onlANrFwwsDGY5F4zLxXslD7h/4HXiAJr1HfIVQtB49dE+55iPq6IU9rXYnP0UDnVCczyfAh3qZveVDvO5ZJ6qfGLNySlPbHV+XOeyfevWxBIXUVx0c++6JDXS1K2YJCmgs4CkqMaLLn67FucboHF3tNOQ61Xu4xZjohzn6bKOMjDtzOb+At3Mo3j5look9tc1Rha88pspFHVVTHvJ5gLWnmOziBfsZ1ZYSodqDuLQtG0t1JoLOOfSquxXesfSHrWE7jp04QlIPJCvFNfOquHta02DOb20A6A9tpOYnom6iKqTq6Vrvjhsic94faGO9V13j3gzaXxH8QOCMjUBft7Sab1jo00CyYxf9t+QRg70BhxwjALiD6KyfSZVmJr5h1Akg75Kb6w5Rv0Dr+pO2qmgkGvZeggT+ubz7Im2gTHwllBhOJ6UF1ZFxv5z3WwI6pm9Itab7zDvDAPMdEwQpLH/kQDh4d7ABDYv3OGYRJEzOByKYorkuuus3wZgR4JBWZGRb0u6L7+gMYGY8h8UWr/yzBa81zzWHKidq1xRbmpp+sN/tAF5davLrh7+pTWoohq4j3VcYJBUVRkcTtNqfVetg8bzh07Px4GddsYzMl0cPk1KBD0zPbVDCBmDppH5fbpwepZi3XPszzGHYvarHzjatwmvR3nX3pXaC1L0WzPLJ8DFKBUSl6ipT1DAEKNc5l4l9B9A2SYCi4wQRRzVy7JdakYtjLU1IghbP2i7239Ef9BxnoQGQ/gstbR1ETDId572sPyVRb/B4RvBYblcpL1m4fnp2E98K7HqAzDUmuzC75Sz11ZZ0oDVuQQmpXAyKUMNEyBZOsGP4H8+k3IP/RE0H+Zj94pCsSMAcQAKICvDroxQhy2f4361IaxVZhrVXrjKndXrHdhwB+FxVWtqqxKsGgp/lv0agtJeX63R9dC/w71/mA//JKWN+MOzOtSmhw8Z8dC+r4wr8fxo1ccxFsV+NJBswZ2NXd15a+04IwJ0YTJXkQW4d1sZScCWMSq9tRIj3TupWgxmh2jDySGOVQTi2SYs/2mg0wMNzu7yf4BY9XuH+CAJr8HbPWW57ss+mqKxEGARh8hmChw5pE0nm/5Nmf4EMuJEJrYpZgdbb1ndvo5uyKPTBWBpWZZKfFV/UdOjAvVTluApVc6hGmhOEY1X/clkHqyhmrAe8RN/6QWtaM51qFmZpW2AbxCK+ZqWU2874CKZXGfAFFp4q/NnMFX0kv0LKC+/AJYr4+jN3OzSuAe1p6XbRvUQ8YB/KFMZ7rj6mJn1nG7CJnJLMh7+Bj0YVpeJ1KJrqgWNu8EHpVAnJCWAVXZK56YY6+aY6helBWEv2kvmVP2f34EkDsXscbPrUs/eAJwMeA94yvsNts10KiLTxcB0vH5+tk1aD8Vft X-Forefront-Antispam-Report-Untrusted: CIP:52.101.61.136;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DM1PR04CU001.outbound.protection.outlook.com;PTR:mail-centralusazon11020136.outbound.protection.outlook.com;CAT:NONE;SFS:(13230040)(34036016)(586017)(7416014)(376014)(35042699022)(48200799018)(61400799027)(69100299015);DIR:OUT;SFP:1102; X-ExternalRecipientOutboundConnectors: 229e6f25-d8cf-4d00-bedf-3f6513ec3f0b X-Auto-Response-Suppress: DR, OOF, AutoReply X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH7PR22MB5062 X-EOPTenantAttributedMessage: 35163b8b-4c4e-4e19-b243-f07c1a6a27f0:0 X-MS-Exchange-Transport-CrossTenantHeadersStripped: SJ1PEPF000023D8.namprd21.prod.outlook.com X-MS-Exchange-Transport-CrossTenantHeadersPromoted: SJ1PEPF000023D8.namprd21.prod.outlook.com X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id-Prvs: 2e33bed3-db7e-4df2-aca6-08dcbdf87c30 X-Moderation-Data: 8/16/2024 1:43:16 PM X-LD-Processed: 35163b8b-4c4e-4e19-b243-f07c1a6a27f0,ExtAddr X-Microsoft-Antispam: BCL:0;ARA:13230040|35042699022|48200799018|69100299015|61400799027|376014|7416014; X-Microsoft-Antispam-Message-Info: 7PZuOGfIkCRZ2+vcoHQQhEJ0pcPulG3Nz6uM+iP8rAzMUk1OC7zOe5PQ4OhDxlTib/wr18Y6X2HY9eQsFILJ7yot1v8tN1sq4G9LEw1rlDbkB2UJUNeGw8caK0m1wADs79nwxX2zhMNYuftHqJKzD2HpdqW2+ZJygT8wrco7KCdxSLiWxjVEQUvB7TjVv4mP9i9r70azuEqbRq58R8VUSxamyfzDh4MaSQG0eyvt1GYjAOzNuCmerWw7WCwT/yXThcS0BQzVmNH+rvQPHlHABs3kLayc2atQETPixErH8ayw7v+/7rbhuadk31nqeaJjMqM9KGLdK9kotDZHyFS71lf1jHsDh3lEDEAeKIk/Z9RLBFpKi3Qe5HDrO6UYCT5kvu67fJortW52T+hEIPwXPk7Lxiou2T+ecM+fa8dFRWEa0nlxLV5hBie5TBgJM0rqyLyN9HrneBA7xWUuUG6zYL28TXj3GpcNZ3ZXoysqZ/aaFHsQcqCY3FqB/adOM5LFITuUsD34IGvOiDf+72b+t3WPqmfa9OkQ8LOG9fZ8h4tYry6vgmu0QeRnuNGvxwh49g2fdL8CSzbELotfDyJvYI84tWPyo8ouLiawmL1lDRxlOXGJKPUDJdXEBrf10Y/2V28I70puRd9FvAIcRPeAtuj071nLNh5dxwJln9uiptk4Y6SRvKKgsxsH6lvsK9QYv4Ux4d/8NLgrlXfnkqhpg2Ya5TUW8f+Mu8EHmUFDMD184gRI3tj6CY31k92L9JpcBmjX7Dz+YPIEHRB67skZ22wXP441H/LoJjpUTn4ypoGg5V/j4NohxUICvmYJDtQRgJxLdnUJFKMQBb2tJi63yl3PiqGiVIw1biieqQPWxgpzNxFvKYDNa4M54jedoSw8yzSKYjZF946BHorYQcSVW+9hUJt37SWuddaRBdQye6YGkg7ucv6Lx7K48cdiLiMCjBGd9PY0KZnt38CpsQbMRgSb9J3+ZENcEpazUfk5SLM8yXC17z5/6oEG7aGAxFHrlblR9+SNZ28RIxKlwq/u5M7v7iXWyet18BAV1rymBOH/kgX67Xe2Xz5FpZel0Pc1M5DOO+yV35Fp5eVeItyF0sPbDpQYBy3fWX46Sx+LXMIuOAdN5xcivcUQolN2tC/KkAJT9/Xq2nvxaZhR4GS335DJYnMa/R+nudZihDSy/S/wsGCIly+zoGX7/2YMwJXV/DuWn2qKjfkqIp8+HSxyv3igYJx42BKfHxVauOPpksyfSgM0g9sAhPTr5zkADIqVuHjHHOAxxGMfUhkY/L4AGB9RmL/jWeL1HRp6UYAOgWAfzjvgkyRovkVRTPOvc57+pEzxPjBa/6QfNyw/rF5Abg== X-Forefront-Antispam-Report: CIP:40.107.237.100;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:NAM12-BN8-obe.outbound.protection.outlook.com;PTR:mail-bn8nam12on2100.outbound.protection.outlook.com;CAT:NONE;SFS:(13230040)(35042699022)(48200799018)(69100299015)(61400799027)(376014)(7416014);DIR:OUT;SFP:1102; X-OriginatorOrg: NETORGFT13999698.onmicrosoft.com X-MS-Exchange-CrossTenant-Network-Message-Id: 75dbd73f-d123-4351-d9a3-08dcbdf88006 X-MS-Exchange-CrossTenant-Id: 35163b8b-4c4e-4e19-b243-f07c1a6a27f0 X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=72f988bf-86f1-41af-91ab-2d7cd011db47;Ip=[20.97.34.221];Helo=[mail-nam-cu04-sn.southcentralus.cloudapp.azure.com] X-MS-Exchange-CrossTenant-AuthSource: SJ1PEPF000023D8.namprd21.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: Internet X-MS-Exchange-CrossTenant-OriginalArrivalTime: 16 Aug 2024 13:43:18.4797 (UTC) X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: TNqK0lMTbi5b9cLoJTq/GHEbYe4wyHYBhmT/1ejLVVqUrkYvOp19tSX71DdMDrGM9MvLXtV17oPeyLQiXpE+TUD9aAQPT1RQ4791E6c+gJaiRzGnp0fhqPj2msilb1c8Gepa3+KYNaDh5dIr7TI20sGkcYqilLDhHWJFtGRMMNtrcm2OXKZwAGSx/79mel9dvow4DbPSMu+bc8chuPwp8wxfxutdb4dnOpQ/6UGAAYyHbJNN0NhrYiHJfNTuQEgUS0PzWnX9mbCP11mngn02pA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH8PR11MB6976
There’s a lot of information here that is meaningless to most of you. But I am going to point out a few clues that indicate how the threat actors are pulling this off. Starting with this:
The word Azure is a big hint as it suggests that the threat actors are sending this using an Azure hosted environment. Azure is Microsoft’s cloud infrastructure. Similar to Amazon Web Services or AWS. There are similar hints that this is case. Such as this one:
This hints that it took a trip through Microsoft’s Forefront product which checks inbound and outbound emails for threats such as viruses. Note that it rated this email as “untrusted”. Then there’s this one:
The sn.southcentralus.cloudapp.azure.com is part of Microsoft’s Azure infrastructure. If I remember correctly, it’s somewhere in Texas. I could go on, but I think you see where I am going with this. In short, the threat actor has used a Microsoft Azure instance to set up the outbound email part of this scam knowing that because it’s coming from Microsoft’s own infrastructure, it will hit the inbox of the recipient. This is confirmed here:
This part of the header indicates because this scam email is being sent from Microsoft’s own infrastructure, it’s going to pass DMARC, SPF, and DKIM checks which would filter this sort of thing out. As evidenced by this:
Results: spf=pass
This:
dkim=pass
And this:
dmarc=pass
I have to admit that it is crafty for a threat actor to use Microsoft’s own infrastructure to send scam emails. And it illustrates how threat actors are evolving to try to bypass any guardrails and safeguards that might exist in order to try and get you to fall for their scam.
As for the phone number, I called it. You shouldn’t. But I did. I found that nobody picked up my call. A major company like Microsoft would have picked up the call. Highlighting that this is a scam.
After looking at all of this, I told the reader to report send the email that he got as an attachment to abuse@microsoft.com so that they can look at it. The reader also used Google Workspace’s “report phishing” option as he’s a Google customer when it comes to email. By doing both, I hope this scam gets shut down ASAP as I can see people falling for it.
Posted in Commentary with tags Google on August 17, 2024 by itnerd
From the “this is real shady” department comes reports like this one that appear to bring to light Google’s Team Pixel program. Here’s how the program works:
A company or PR representative reaches out to you because you have an audience; they want to market and grow hype around their new phone/product (in this case, the Pixel 9 series); you need new, shiny things for your channel, so you bite their hand off, and a box of shiny new toys wings its way to your home or studio.
But then reality sets in, the reality of how the B2C reviews machine really works. In order to get early access to these phones, and future phones, you must adhere to an agreement.
And what does that agreement stipulate?
Simple: you have to be positive about the product or else you’re off the team, no more new, free Pixel phones for you. With this kind of threat, of course, most will bend the knee. But some haven’t and some have even outed #teampixel on X, shout-out to Mark’s Tech.
The Mark’s Tech is this guy who posted this to Twitter:
Im really disappointed in Team Pixel. This new requirement, that's hidden behind closed doors, is wrong. How can a consumer watch a Pixel review video by someone on Team Pixel and expect to get an honest review? Transparency is gone. https://t.co/uoFxQ6bYYV
Now to be clear, this is being done by a PR company named 1000Heads. So there is the chance that Google was not even aware that this was going on. Though I seriously doubt that based on this:
As per @9to5Google Team Pixel has removed that part from the agreement! Consumers win. So yes, blasting a company online DOES work and it gets stuff done. Boom. pic.twitter.com/tye2YnNibl
Let me comment on this from the perspective of someone who does reviews. First of all I make it very clear here that I say what I want. And if a company doesn’t like that, fine. Go someplace else. I’m cool with that. Now the people from manufacturers and PR firms that I’ve dealt with over the years have never pulled a stunt like this on me. But at the same time, I go out of my way to avoid being put in a position where I might be incentivized to say nice things about a product. Because that’s simply not fair to my readership. That’s likely meant that the readership of this blog hasn’t grown as fast as it could have if I were less ethical. But I’m fine with that as I can sleep at night.
Any company that does anything as shady as this needs to be called out and held accountable. Because the products a company makes should sell the most and be the best because they are the best and people in the business of reviewing products agree of their own free will and not because they were incentivized to say nice things. Anything else is just wrong.
A VERY Convincing Microsoft 365 Refund #Scam Email Is Making The Rounds
Posted in Commentary with tags Microsoft, Scam on August 17, 2024 by itnerdA reader of this blog sent me this email that he thought was a scam email:
Now a bunch of things make this scam email very convincing:
The only thing that gave it away in terms of being a scam is that there is a phone number for a support helpline. Microsoft does not have any phone support.
So what this means is that this is likely a refund scam. Meaning that threat actors send out emails claiming that you’ve been billed for a product or service to thousands of people hoping that some will call in. At that point the threat actors will connect to their computer and try to steal as much money as they can.
What intrigued me is how were the threat actors able to get this email to hit this reader’s inbox. I asked the reader for the email header as any email that you send has information that details its path from end to end along with other information that would be useful to an email server in terms of determining if an email is spam or something like that.
Thus in an effort to illustrate what’s going on here, here’s the full headers that I received with some information redacted:
There’s a lot of information here that is meaningless to most of you. But I am going to point out a few clues that indicate how the threat actors are pulling this off. Starting with this:
Return-Path: reply+SRS=Vuioy=PP=microsoft.com=azure-noreply@merchantsales.onmicrosoft.com
The word Azure is a big hint as it suggests that the threat actors are sending this using an Azure hosted environment. Azure is Microsoft’s cloud infrastructure. Similar to Amazon Web Services or AWS. There are similar hints that this is case. Such as this one:
X-Forefront-Antispam-Report-Untrusted: CIP:52.101.61.136;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DM1PR04CU001.outbound.protection.outlook.com;PTR:mail-centralusazon11020136.outbound.protection.outlook.com;CAT:NONE;SFS:(13230040)(34036016)(586017)(7416014)(376014)(35042699022)(48200799018)(61400799027)(69100299015);DIR:OUT;SFP:1102;
This hints that it took a trip through Microsoft’s Forefront product which checks inbound and outbound emails for threats such as viruses. Note that it rated this email as “untrusted”. Then there’s this one:
CIP:20.97.34.221;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail-nam-cu04-sn.southcentralus.cloudapp.azure.com;PTR:mail-nam-cu04-sn.southcentralus.cloudapp.azure.com;CAT:NONE;SFS:(13230040)(240411011799012)(36860700013)(69100299015)(376014)(82310400026)(1800799024)(36002699022);DIR:OUT;SFP:1102;
The sn.southcentralus.cloudapp.azure.com is part of Microsoft’s Azure infrastructure. If I remember correctly, it’s somewhere in Texas. I could go on, but I think you see where I am going with this. In short, the threat actor has used a Microsoft Azure instance to set up the outbound email part of this scam knowing that because it’s coming from Microsoft’s own infrastructure, it will hit the inbox of the recipient. This is confirmed here:
ARC-Authentication-Results: i=6; mx.google.com;dkim=pass header.i=@microsoft.com header.s=selector2 header.b=V0jLNQ7L;dkim=pass header.i=@microsoft.com header.s=s1024-meo header.b=UBZKKpiY;arc=pass (i=5 spf=pass spfdomain=merchantsales.onmicrosoft.com dkim=pass dkdomain=microsoft.com dkim=pass dkdomain=microsoft.com dmarc=pass fromdomain=microsoft.com);spf=pass (google.com: domain of bounces+srs=yjgow=pp@netorgft13999698.onmicrosoft.com designates 2a01:111:f403:2415::724 as permitted sender)
This part of the header indicates because this scam email is being sent from Microsoft’s own infrastructure, it’s going to pass DMARC, SPF, and DKIM checks which would filter this sort of thing out. As evidenced by this:
Results: spf=pass
This:
dkim=pass
And this:
dmarc=pass
I have to admit that it is crafty for a threat actor to use Microsoft’s own infrastructure to send scam emails. And it illustrates how threat actors are evolving to try to bypass any guardrails and safeguards that might exist in order to try and get you to fall for their scam.
As for the phone number, I called it. You shouldn’t. But I did. I found that nobody picked up my call. A major company like Microsoft would have picked up the call. Highlighting that this is a scam.
After looking at all of this, I told the reader to report send the email that he got as an attachment to abuse@microsoft.com so that they can look at it. The reader also used Google Workspace’s “report phishing” option as he’s a Google customer when it comes to email. By doing both, I hope this scam gets shut down ASAP as I can see people falling for it.
5 Comments »