The IT Nerd

A reader of this blog sent me this email that he thought was a scam email:

Now a bunch of things make this scam email very convincing:

• The email address that this was sent from appears to come from Microsoft.
• If you click on the “Go To Microsoft 365 Admin Center”, it actually takes you to the real Microsoft 365 Admin Center.
• The look and feel of the email is very much like one that Microsoft would send.

The only thing that gave it away in terms of being a scam is that there is a phone number for a support helpline. Microsoft does not have any phone support.

So what this means is that this is likely a refund scam. Meaning that threat actors send out emails claiming that you’ve been billed for a product or service to thousands of people hoping that some will call in. At that point the threat actors will connect to their computer and try to steal as much money as they can.

What intrigued me is how were the threat actors able to get this email to hit this reader’s inbox. I asked the reader for the email header as any email that you send has information that details its path from end to end along with other information that would be useful to an email server in terms of determining if an email is spam or something like that.

Thus in an effort to illustrate what’s going on here, here’s the full headers that I received with some information redacted:

Delivered-To: REDACTED
Received: by 2002:a17:504:3f94:b0:1bfe:977f:4147 with SMTP id g20csp1188908njn;
        Fri, 16 Aug 2024 06:43:30 -0700 (PDT)
X-Forwarded-Encrypted: i=7; AJvYcCV81SM/CRIsstE+ArzN39KoZ2oigx7zrrZ3+m8LcY0IHa8JHgHjidVCkJMvWWgc3bLi9abUQ9NE1KZNlZYTgvg=
X-Google-Smtp-Source: AGHT+IH23r3S25jCDA4KiCgZLcKnxrY4PqFqTc+KWz26TvPfAwn3gdXuUuwUmIlHlMeZu6BPt9gf
X-Received: by 2002:a92:c261:0:b0:39b:3241:e982 with SMTP id e9e14a558f8ab-39d26d745b0mr34961605ab.25.1723815810010;
        Fri, 16 Aug 2024 06:43:30 -0700 (PDT)
ARC-Seal: i=6; a=rsa-sha256; t=1723815809; cv=pass;
        d=google.com; s=arc-20160816;
        b=TfuSWcu4LauRnn2B2HInZaZytDUWMqMeVrDW+IA3B1AC5XpzIZogn7S12MTujPs3DB
         EDgIRK2QGFcIBjEICnoXtC5OuT+LKCJPVk+vjc4VzrC5qG6yLfCat5+YdFIIlJWadG5M
         JwrQOk/YAYrAjNDHfbfDqAKplAlTbhwmXrCr2ZMf3XgTceCHnm+QI7HaHf8AA/OFFUXI
         F/Uhz+x7AgGL/P9ZqwLYeOMzPDWjVzlXpNJO5D8oIifP21nU5EdYKgeryWp9UH9xQBdX
         HBCXqvoCO2LLJ/kmECxqA9A91L6hhXpnnn+Z0bmwPWzFBLHFFkscprpVZvj0Jc4ARGmI
         Q4vA==
ARC-Message-Signature: i=6; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=mime-version:to:message-id:subject:date:from:dkim-signature
         :dkim-signature:authentication-results-original:resent-from;
        bh=1DRVH/p+Ncb0nmWC1EV3IUNwyNv4hoYQDPSQRvl39kg=;
        fh=u+4NNM9FiVktfFoWhpPOc5WraBPqVPVZz8is6x3rkA0=;
        b=fOYFPO+LNDgcdd4ziNW8ibjuWZUb46rsiiVAQw9a47aqIcQMvpf2tZCUlhPrONwF3e
         JtSPWIALpXuQN5LCkpK+1+IjTf2pvlE/fidSYyxN6IZ4t/xp0KucMQaSAC0bGuUWcNZ5
         xj+YpqPRcDPuyNDIpotxI/6xdSQp088EYf0CoEV3Ei9Ot/d3i0z4IyHR6CMeyGRqi8JR
         0m23FRK/PybVME5TjpxAQikH3/yt3v/yAGGYp+y20agpYpJf3z88hPGSDflrc5+/06zj
         sW22lg3r0OwwQ52vJ6BUFg1BVxIdW/RzeSkuvcNAMUlP5m7p6yAwxyvw/jQGL89A3G0A
         WTSA==;
        dara=google.com
ARC-Authentication-Results: i=6; mx.google.com;
       dkim=pass header.i=@microsoft.com header.s=selector2 header.b=V0jLNQ7L;
       dkim=pass header.i=@microsoft.com header.s=s1024-meo header.b=UBZKKpiY;
       arc=pass (i=5 spf=pass spfdomain=merchantsales.onmicrosoft.com dkim=pass dkdomain=microsoft.com dkim=pass dkdomain=microsoft.com dmarc=pass fromdomain=microsoft.com);
       spf=pass (google.com: domain of bounces+srs=yjgow=pp@netorgft13999698.onmicrosoft.com designates 2a01:111:f403:2415::724 as permitted sender) smtp.mailfrom="bounces+SRS=yjgOw=PP@netorgft13999698.onmicrosoft.com";
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=microsoft.com
Return-Path: <bounces+SRS=yjgOw=PP@netorgft13999698.onmicrosoft.com>
Received: from NAM11-DM6-obe.outbound.protection.outlook.com (mail-dm6nam11on20724.outbound.protection.outlook.com. [2a01:111:f403:2415::724])
        by mx.google.com with ESMTPS id 41be03b00d2f7-7c6b636fff7si3568330a12.599.2024.08.16.06.43.29
        for <REDACTED>
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Fri, 16 Aug 2024 06:43:29 -0700 (PDT)
Received-SPF: pass (google.com: domain of bounces+srs=yjgow=pp@netorgft13999698.onmicrosoft.com designates 2a01:111:f403:2415::724 as permitted sender) client-ip=2a01:111:f403:2415::724;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@microsoft.com header.s=selector2 header.b=V0jLNQ7L;
       dkim=pass header.i=@microsoft.com header.s=s1024-meo header.b=UBZKKpiY;
       arc=pass (i=5 spf=pass spfdomain=merchantsales.onmicrosoft.com dkim=pass dkdomain=microsoft.com dkim=pass dkdomain=microsoft.com dmarc=pass fromdomain=microsoft.com);
       spf=pass (google.com: domain of bounces+srs=yjgow=pp@netorgft13999698.onmicrosoft.com designates 2a01:111:f403:2415::724 as permitted sender) smtp.mailfrom="bounces+SRS=yjgOw=PP@netorgft13999698.onmicrosoft.com";
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=microsoft.com
ARC-Seal: i=5; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=pass; b=Ji0CyJSU2sA3+SpLxEZlkgamoXDki55de/cEK9H75PDf/IzMNo28o7SlxBAcxWydkvqnmHecf02ksBav3pTHx7BQwMCdUtXqFVXu1gqUWMr+aD0DAD3I+YvolOdpnFltIlZM4P59AYRCW1QFgTRgMBbN1E+FOl/Eg16yPjnCCI9jKLabr8cDxoXpNIxhv4dPaiZ30YnE4ur6m5wP7y8Lvkn29G14L+X9bVjGjP6S/btJWxk/K9fAr1b9zzoL8MdrzVc8FHmJwT4aAeJRJ/sHC87kQ+SHlENzETQ9AP26yBD3f2DlmJi/ZqUMdJxZBCi7XoYjdLw/GE4otr2UBaTJLQ==
ARC-Message-Signature: i=5; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=1DRVH/p+Ncb0nmWC1EV3IUNwyNv4hoYQDPSQRvl39kg=; b=d8TPu7A2Hu2WXRveGLV3o5pIZ3eBrghj/xxi6j9f7nRO5yJGW3WvJCyPX/yMmBGYzpTApu3VkL1lFsHmtSt7SbCOOr0Q2Kmovlz2XPpUJ2Os1dMLdnhse785WQ6Ii4tCEcccjg8OPm61meRW86Gn5btBjD2uqe7Yu8BtJbKWX4qnb8MXD/YAL+x6ACQzoluy89RBSLKlADSSQ3M7ayQKIPvaxkbVrAezUHA7xiezIskXdcG5zUIL07vf7PdBOqvrXV6vuCNuGw1ma8gqPhpy4v3Ejy8ZPBVmHc8mHN27URCPotDU3lx8nn+swDvDpSXRdUv0+KOl+X8D+4JTZJ0hJg==
ARC-Authentication-Results: i=5; mx.microsoft.com 1; spf=pass (sender ip is 40.107.237.100) smtp.rcpttodomain=trendequity.org smtp.mailfrom=merchantsales.onmicrosoft.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=microsoft.com; dkim=pass (signature was verified) header.d=microsoft.com; dkim=pass (signature was verified) header.d=microsoft.com; arc=pass (0 oda=1 ltdi=1 spf=[1,3,smtp.mailfrom=microsoft.com] dkim=[1,3,header.d=microsoft.com] dmarc=[1,3,header.from=microsoft.com])
Received: from CH0PR11MB8190.namprd11.prod.outlook.com (2603:10b6:610:188::5) by PH8PR11MB6976.namprd11.prod.outlook.com (2603:10b6:510:223::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7875.19; Fri, 16 Aug 2024 13:43:21 +0000
Received: from DM6PR11MB4187.namprd11.prod.outlook.com (2603:10b6:5:19e::32) by CH0PR11MB8190.namprd11.prod.outlook.com (2603:10b6:610:188::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7875.20; Fri, 16 Aug 2024 13:43:18 +0000
Received: from DM6PR11MB4187.namprd11.prod.outlook.com ([fe80::e455:f44c:3b7e:8ea2]) by DM6PR11MB4187.namprd11.prod.outlook.com ([fe80::e455:f44c:3b7e:8ea2%6]) with mapi id 15.20.7875.016; Fri, 16 Aug 2024 13:43:18 +0000
ARC-Seal: i=4; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=pass; b=IyivTBoWjDP5+EzGuqcuiDvrPTg2W3eAad7T3RaNS1BeMpjj1ISfpO767jFhJo+hFSm3gtQR+5zgsS14eMw0cVplcYkrfv0jsPu8ZqfGJfFfnJM2WDZEDg6BCdos+wZDt3Vy5CRD0enXrpFb3YpI84pqw501bdCC7arcZDKU5Cfm/340RqOsA1D7QKLlCrEzEcR2IAricypAEehKx8W/yeKLvYcl0EqnhioY6ltQXxBr1NEp7fFQBzCyKHgSU3jijWoPewIH4b3UbE1nKaSNRJDJyE/+p9uKofj5l9JSeV0QtqHQvB1plXxSG2wJ3d19tSOcx6NQsrOdQM5y6X+CIA==
ARC-Message-Signature: i=4; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=1DRVH/p+Ncb0nmWC1EV3IUNwyNv4hoYQDPSQRvl39kg=; b=r5Ds9OwJEG1UyAqy6AQhqBmivg51YDYg+BbHZKDecD+rC7FQ9Kq+r1qhZeZy+QIZRHu2oupl/7MS4XcU4gcwxujf4EQ8H97Jue0jBqoPEv5jkIly+pUWV+zL4siAsgx8SpFldBSfM1NM0Y/MEKT80baOqTx1vMAKTg22zvd/Q4jKy4aLv94b0HLpUytUjTY74XrN1yMm2ePX+GoW32v7KQqu0QCncH8Pjp1LXPu+3SkyKPAETkngi5HAYwbkkqLJkPjgxun+IoRfVhqvDRmhPe4co89+fRCWBfXsCez44KZ2Oscvx0ummBbDHm2uDW81DI7ukZ9JNXT+RmomXGe8qg==
ARC-Authentication-Results: i=4; mx.microsoft.com 1; spf=pass (sender ip is 40.107.237.100) smtp.rcpttodomain=trendequity.org smtp.mailfrom=merchantsales.onmicrosoft.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=microsoft.com; dkim=pass (signature was verified) header.d=microsoft.com; dkim=pass (signature was verified) header.d=microsoft.com; arc=pass (0 oda=1 ltdi=1 spf=[1,3,smtp.mailfrom=microsoft.com] dkim=[1,3,header.d=microsoft.com] dmarc=[1,3,header.from=microsoft.com])
Received: from BYAPR11CA0083.namprd11.prod.outlook.com (2603:10b6:a03:f4::24) by DM4PR11MB6360.namprd11.prod.outlook.com (2603:10b6:8:bd::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7875.20; Fri, 16 Aug 2024 13:36:58 +0000
Received: from SJ1PEPF000023D8.namprd21.prod.outlook.com (2603:10b6:a03:f4:cafe::54) by BYAPR11CA0083.outlook.office365.com (2603:10b6:a03:f4::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7828.33 via Frontend Transport; Fri, 16 Aug 2024 13:36:58 +0000
Authentication-Results: spf=pass (sender IP is 40.107.237.100) smtp.mailfrom=merchantsales.onmicrosoft.com; dkim=pass (signature was verified) header.d=microsoft.com;dmarc=pass action=none header.from=microsoft.com;
Received-SPF: Pass (protection.outlook.com: domain of merchantsales.onmicrosoft.com designates 40.107.237.100 as permitted sender) receiver=protection.outlook.com; client-ip=40.107.237.100; helo=NAM12-BN8-obe.outbound.protection.outlook.com; pr=C
Received: from NAM12-BN8-obe.outbound.protection.outlook.com (40.107.237.100) by SJ1PEPF000023D8.mail.protection.outlook.com (10.167.244.73) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7897.4 via Frontend Transport; Fri, 16 Aug 2024 13:36:57 +0000
ARC-Seal: i=3; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=pass; b=isJzNOZrZwA7Xr5bxG0qOy4ivJq/v9mA7WtOqMOZHPzIxIoTd5pxuMC/Lq36JLVhzEJG5EBz4e7NsuCjguzlN0t2ylLhmS4f8AiLe2mHJ61ynJ28A7ivXe0MEfkG9F6WokjNOH/1nKKiYxETfoQJAk60uND6oT9AcY+QkIKafmyo7q6jiQc08VRSuTjQc0l8wAH1MswjQeNeKY2gvTvMkkMGInT2pxJ2guGgRZ9UTRgofPYvuuCSDZAkCjUQ7oM7cqtyoG4V4gK00Bg6PR1kq7awWmci6NQ03QMXa96H7aiygnMxQph4kL4dKbQqrBJu1Keqsiyi7I72D7sV73gkIA==
ARC-Message-Signature: i=3; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=1DRVH/p+Ncb0nmWC1EV3IUNwyNv4hoYQDPSQRvl39kg=; b=JLGf+Jw4DoZkWn07nHEf4c/xF0JjA6mtEGPc1F4Q8k44xFoHkTwIaXbMFF5DaLK4EaEOcURD+VsGwaSS19D0Y89om1l4ICzOntk6O0D6+UZG4lN5M15SUYwTS1EAsdXIgcLf8zChpu83TzjmDnozAZznzOZU5KEXp/bkocEBc5L3zlYjBaULkXltR2VJT9p4eRMW3K4bqERT0TZ5CZD4im3/4GiftPTsfx99l1Jav9teubV14MvOEywvxlmjugLIQAjz1HiphAep/RxAG5DIxCzXZUgJAHkC/beSDqYNG585/ObL/LEB40wOwQmUeg0PNtr4JJQycULGEkYxHhEIPw==
ARC-Authentication-Results: i=3; mx.microsoft.com 1; spf=pass (sender ip is 52.101.61.136) smtp.rcpttodomain=merchantsales.onmicrosoft.com smtp.mailfrom=microsoft.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=microsoft.com; dkim=pass (signature was verified) header.d=microsoft.com; dkim=pass (signature was verified) header.d=microsoft.com; arc=pass (0 oda=1 ltdi=1 spf=[1,1,smtp.mailfrom=microsoft.com] dkim=[1,1,header.d=microsoft.com] dmarc=[1,1,header.from=microsoft.com])
Resent-From: <notification@merchantsales.onmicrosoft.com>
ARC-Seal: i=2; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=pass; b=DRrt4WaGKyoiMML6eb3SUwKLOq08R8bGVYB/L0QVlm3wcdm1XF/iQrj/RUS7YLnKlbIg0GH3KQNtpyOOzQnrCfm1mwbufpgpEcbjvFjEqAEtzzOU4V9ypfzuQEVEm7Cc78qZfdzJ50Hd8LgyA5vzscQFOJ8J1FQnb/S4M4AyVuhTYAtw8LFASe6GrJM82xQNWucTz82hmjBX1BONDgxYeeqVSBb6A+kmbj3M+5wcdQqXoZN5TC7R/cxuqZ40rCBYz2vz6+s74Z1X+SzYJnwZ21MDocRRX7fQhBwHwsdUKtckZMdk8UAdW5qjaDogoZzdTyI59J91KzvKD+gdfJn2Ug==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=1DRVH/p+Ncb0nmWC1EV3IUNwyNv4hoYQDPSQRvl39kg=; b=g44v04/jeUniwLVld3n/6yh2nL45f+/OxI7yaXQedI85nRqtFrffhDNyMDl5Cj940rCVZZdViy0T9NosHJB9X4FGMV5g8NmrDoRwMCQIqunPNtG55KFuDGxAJscrZQcns/2zuiqgl1aq7Ei0g977GG8XQa9fivDMY8f+VNpeNCEID2ibd6YyXsOrH/Okb5OoGqr8BmXLzZorgM52sf3YJwluPUab7pLsxJOGZff+u4PoVhlJ+BFPKXJgC7cy6VRbJs3AIM2u6w/rWwfz4x0Tanp1Uy+AOKI+suaK6wSt2atjMAhMF6NbxsdmmriB8qikoDybhtNZb4SkX0/Ea85Vyg==
ARC-Authentication-Results: i=2; mx.microsoft.com 1; spf=pass (sender ip is 52.101.61.136) smtp.rcpttodomain=merchantsales.onmicrosoft.com smtp.mailfrom=microsoft.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=microsoft.com; dkim=pass (signature was verified) header.d=microsoft.com; dkim=pass (signature was verified) header.d=microsoft.com; arc=pass (0 oda=1 ltdi=1 spf=[1,1,smtp.mailfrom=microsoft.com] dkim=[1,1,header.d=microsoft.com] dmarc=[1,1,header.from=microsoft.com])
Received: from PH7P220CA0015.NAMP220.PROD.OUTLOOK.COM (2603:10b6:510:326::20) by PH7PR22MB5062.namprd22.prod.outlook.com (2603:10b6:510:312::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7875.18; Fri, 16 Aug 2024 13:36:51 +0000
Received: from MWH0EPF000A6733.namprd04.prod.outlook.com (2603:10b6:510:326:cafe::2) by PH7P220CA0015.outlook.office365.com (2603:10b6:510:326::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7875.19 via Frontend Transport; Fri, 16 Aug 2024 13:36:51 +0000
Authentication-Results-Original: spf=pass (sender IP is 52.101.61.136) smtp.mailfrom=microsoft.com; dkim=pass (signature was verified) header.d=microsoft.com;dkim=pass (signature was verified) header.d=microsoft.com;dmarc=pass action=none header.from=microsoft.com;
Received-SPF: Pass (protection.outlook.com: domain of microsoft.com designates 52.101.61.136 as permitted sender) receiver=protection.outlook.com; client-ip=52.101.61.136; helo=DM1PR04CU001.outbound.protection.outlook.com; pr=C
Received: from DM1PR04CU001.outbound.protection.outlook.com (52.101.61.136) by MWH0EPF000A6733.mail.protection.outlook.com (10.167.249.25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7849.8 via Frontend Transport; Fri, 16 Aug 2024 13:36:51 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=AvyM0FlxgT9SVxijT8tW0np3V9uiRpjFfHotFChyp9BMlncIf4Hl00T9mxKzXH56MByamyvAnJ5GBhvaHhoYHr+j04+w6DCt0gxFHptIuYoVa5b89ZPtcrrhukV3WQ1eJJ9pR+C26Ud7xzLBtR/fq0lJXBLVLexID8Cza0nFJoYej2fgA/2QL7mpU6chmw8D3+CLBRGO7IXVh6jTuD2U8Ls20N+gtQCu+siwP2AAw0O+zkbn9Y0bwFWz382Z/Jy5SB0VQhfdBatnM6eTQu+0uHe+SryGxVpDbtA7xKPLaYl/Cy45tGXiNLFGiP/1YWF4krqSrNz6JZblYIjl/zYFfg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=1DRVH/p+Ncb0nmWC1EV3IUNwyNv4hoYQDPSQRvl39kg=; b=sWSleCpJwWIGLaz4N9y0Lthfugbg4WYoWQibVxI9g4yb++6KOYO97mXz3VMgHcwBPKL7i6yEg4UQH7EpJrpFYSprjtZ//3gqrP0nNZuWaWGN8br09mqbUz0hIViKQhuNBlCEEBYspyV9b8ZE1JGGipETP6qKqkpEGulu3iId0sFAYcIddJQxyW7UkArwNdPVarRVhZ643HbWPuiEYgSXemcsxmkoH5CHPBZ6rv7/cAw/sbwKdoBI2W/Bj6GzjKRNHhP2Fzkaz31XNjNAYBgOKY5Od6zfSYe+pKAfPOp/EUYm3O1lQoKsOuIVY1jW4VfsoJXSvgz8yvVQpPFARzwXRw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 20.97.34.221) smtp.rcpttodomain=merchantsales.onmicrosoft.com smtp.mailfrom=microsoft.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=microsoft.com; dkim=pass (signature was verified) header.d=microsoft.com; arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=1DRVH/p+Ncb0nmWC1EV3IUNwyNv4hoYQDPSQRvl39kg=; b=V0jLNQ7LkoODwqICDAY2ZF7ia+g4glgQr9DQ/TKgmcnmgTnE8sMj3avExUXePg15WGgI4HgfXMM8hiBb4ic7GGY8cOyVkf82RqWoKsj8gu39myRpIeKtZORbvek4N0BOv1TufeYdn3oLUVvywhkFojX4KTesm0ALLhDzCBpZzpI=
Received: from CH0PR04CA0113.namprd04.prod.outlook.com (2603:10b6:610:75::28) by DM4PR21MB3345.namprd21.prod.outlook.com (2603:10b6:8:6b::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7897.11; Fri, 16 Aug 2024 13:36:46 +0000
Received: from CH2PEPF00000144.namprd02.prod.outlook.com (2603:10b6:610:75:cafe::b4) by CH0PR04CA0113.outlook.office365.com (2603:10b6:610:75::28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7849.23 via Frontend Transport; Fri, 16 Aug 2024 13:36:46 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 20.97.34.221) smtp.mailfrom=microsoft.com; dkim=pass (signature was verified) header.d=microsoft.com;dmarc=pass action=none header.from=microsoft.com;
Received-SPF: Pass (protection.outlook.com: domain of microsoft.com designates 20.97.34.221 as permitted sender) receiver=protection.outlook.com; client-ip=20.97.34.221; helo=mail-nam-cu04-sn.southcentralus.cloudapp.azure.com; pr=C
Received: from mail-nam-cu04-sn.southcentralus.cloudapp.azure.com (20.97.34.221) by CH2PEPF00000144.mail.protection.outlook.com (10.167.244.101) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.7849.8 via Frontend Transport; Fri, 16 Aug 2024 13:36:45 +0000
DKIM-Signature: v=1; a=rsa-sha256; d=microsoft.com; s=s1024-meo; c=relaxed/relaxed; i=microsoft-noreply@microsoft.com; t=1723815405; h=from:subject:date:message-id:to:mime-version:content-type; bh=1DRVH/p+Ncb0nmWC1EV3IUNwyNv4hoYQDPSQRvl39kg=; b=UBZKKpiYDf2p/KxxPFGwvnXMRjaNpMAU2QLNOgp/jX2IL6YC9/C+iC9TOKPNzv6ZMZ/VbQT8FSu OTbgm3nlE2Z4QNDEVPhg0dtlxEIq0ekPNMunTXNMKbvCmOEbsTwfCwyCcK5bXUiqMiX/qmBo+I/jY 2S6RuDg7SlC/vbvAfNU=
From: Microsoft <microsoft-noreply@microsoft.com>
Date: Fri, 16 Aug 2024 13:36:45 +0000
Subject: Your Microsoft order on August 16, 2024
Message-ID: <1f146af7-4393-4815-958b-64498d68a06f@az.southcentralus.microsoft.com>
To: notification@merchantsales.onmicrosoft.com
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="=-QmAKbw7keMAjIz55DOIJ/Q=="
Return-Path: reply+SRS=Vuioy=PP=microsoft.com=azure-noreply@merchantsales.onmicrosoft.com
X-EOPAttributedMessage: 2
X-MS-TrafficTypeDiagnostic: CH2PEPF00000144:EE_|DM4PR21MB3345:EE_|MWH0EPF000A6733:EE_|PH7PR22MB5062:EE_|SJ1PEPF000023D8:EE_|DM4PR11MB6360:EE_|CH0PR11MB8190:EE_|PH8PR11MB6976:EE_
X-MS-Office365-Filtering-Correlation-Id: 75dbd73f-d123-4351-d9a3-08dcbdf88006
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam-Untrusted: BCL:0;ARA:13230040|240411011799012|36860700013|69100299015|376014|82310400026|1800799024|36002699022;
X-Microsoft-Antispam-Message-Info-Original: X7O+VKtnAGxSUxUJT3g+8GXKOWyRASZFTRv8T75FA+rkgVX8GpH5jnwaIOFWMr15esuql8JQhn/H2xixXEbEZWhtFmmrCJEHnz09rpWWlgwCChijJTZKq7U5pMBKCLrYqtZdxMQW+3lJK4iGR8pcyAzG2gn3uDeNAeLREJW7RmN/++UPcS0TNWIKxkWCpg7mpaUEmMPN931KiC0cbYH7Wq8WbAl3eUpSoZqG8jhHxm7lpfaADJZcLN/Yu/l5EL4gjElyizRL8H8ryFDXIkGgrARhq8NOez4ur7K7MkezZ/7g+/0QtZNeZi0Q6QSgD1RH+15Fk5KPMGdv0N2sagaxw2jXSaLyjX1IvE+lIR6RG4dPboGl3gSOsE5URGNQ9c74gY+gwLK3wOZKEWpRGtf34k+4ATDPP/q4RNK8KxUDGlMyHZ4gwq/R6LFb8lNyvyB164lXQjYbpAZaxf2OFgrldw6wqqnemUNxVpxhDeL7Z7NOCCEVD0kUF+nkdwoeReUZwJhG5BzJwrn2L7lMxSZOtuHAVawEWkxOmmnAHci+an5uAT1eCQFY0ZY3AXRdf5lc3AS61ati0GxQd5smS6KIsisyer5tUyclV2IIecLSw4sXawcveRlrgmtLZKNyBlvxetndu5ISF4dGiNpZA8JfiKSlm+xsHgp5SX74j/v/uQt1sZPK8+6srdJFBCxtsSCIcFm28SjeuaNL5xQjvUWx68KMQMhtGldEnaEdZIhFf9KVkfuqCqzv793IDPi9JHFTILvpXmEabigWnwTNMa7+HC12pLCjXEEP0lvr8rPFm9LTM29Ccg9IRP6FdnD3yYUin4r334spxLnp4MhfqDiGj+BtVtiCcajz2mKJ+BRctNOWeLoe6Q0TB5rljqcb0slk6yTbxXQGxogPXivoZFsMVT1t9nva+xybM6RsRxajvYdVxvQ/GVxbb3uclZSNZudbN63m/iKO7fPZxEEnXi3HesaMm4XH7ZKGYlxruCRHx3umVW2FaiKZ/pidYYworh2IdTXjUbdGhsx2N5E4DycQWmuHB2GqTO12xCVC1sj5X+vrcJDWK92ayoLlADSIj35BbjzxHa6nWN46+Gghdg/p4e2yj33hSC1kVVC5fMx2WuCJTtVHLGo29VBguIxwW35wTuCXkdAxmdRctApmcw7NRZhkmF+uUkN9rBh4cCUzLDbUJ41lKPpb5j2DJvmatcvGpl6eFa5jMi8AD7WDTWqBE7HBcy9f74Easlf6fAPtp9ULETPMf0t2fyrTxYfdvudxWQRyvFeAAQGJH9/hgwEpCdaDMDvLw/nH/1v6JIEKBaSvpqNDxI5rcf4jzfQSZ01l8MrhwR10nNqIJuM92nAMJgCs5LnuVc5tQNmQ+U9z/+RLcKg/ch5noRf53H8i+0+HeS1DTzjZFDrTFnJG+uHRZmSOxxXIjSwCvJla8o7/Ey0=
X-Forefront-Antispam-Report-Untrusted: CIP:20.97.34.221;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail-nam-cu04-sn.southcentralus.cloudapp.azure.com;PTR:mail-nam-cu04-sn.southcentralus.cloudapp.azure.com;CAT:NONE;SFS:(13230040)(240411011799012)(36860700013)(69100299015)(376014)(82310400026)(1800799024)(36002699022);DIR:OUT;SFP:1102;
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM4PR21MB3345
X-MS-Exchange-Transport-CrossTenantHeadersStripped: MWH0EPF000A6733.namprd04.prod.outlook.com
X-MS-Exchange-Transport-CrossTenantHeadersPromoted: MWH0EPF000A6733.namprd04.prod.outlook.com
X-MS-Office365-Filtering-Correlation-Id-Prvs: 5c556704-ff26-4c12-336c-08dcbdf87910
X-LD-Processed: 229e6f25-d8cf-4d00-bedf-3f6513ec3f0b,ExtAddr,ExtFwd
X-Microsoft-Antispam-Untrusted: BCL:0;ARA:13230040|34036016|586017|7416014|376014|35042699022|48200799018|61400799027|69100299015;
X-Microsoft-Antispam-Message-Info-Original: 7onlANrFwwsDGY5F4zLxXslD7h/4HXiAJr1HfIVQtB49dE+55iPq6IU9rXYnP0UDnVCczyfAh3qZveVDvO5ZJ6qfGLNySlPbHV+XOeyfevWxBIXUVx0c++6JDXS1K2YJCmgs4CkqMaLLn67FucboHF3tNOQ61Xu4xZjohzn6bKOMjDtzOb+At3Mo3j5look9tc1Rha88pspFHVVTHvJ5gLWnmOziBfsZ1ZYSodqDuLQtG0t1JoLOOfSquxXesfSHrWE7jp04QlIPJCvFNfOquHta02DOb20A6A9tpOYnom6iKqTq6Vrvjhsic94faGO9V13j3gzaXxH8QOCMjUBft7Sab1jo00CyYxf9t+QRg70BhxwjALiD6KyfSZVmJr5h1Akg75Kb6w5Rv0Dr+pO2qmgkGvZeggT+ubz7Im2gTHwllBhOJ6UF1ZFxv5z3WwI6pm9Itab7zDvDAPMdEwQpLH/kQDh4d7ABDYv3OGYRJEzOByKYorkuuus3wZgR4JBWZGRb0u6L7+gMYGY8h8UWr/yzBa81zzWHKidq1xRbmpp+sN/tAF5davLrh7+pTWoohq4j3VcYJBUVRkcTtNqfVetg8bzh07Px4GddsYzMl0cPk1KBD0zPbVDCBmDppH5fbpwepZi3XPszzGHYvarHzjatwmvR3nX3pXaC1L0WzPLJ8DFKBUSl6ipT1DAEKNc5l4l9B9A2SYCi4wQRRzVy7JdakYtjLU1IghbP2i7239Ef9BxnoQGQ/gstbR1ETDId572sPyVRb/B4RvBYblcpL1m4fnp2E98K7HqAzDUmuzC75Sz11ZZ0oDVuQQmpXAyKUMNEyBZOsGP4H8+k3IP/RE0H+Zj94pCsSMAcQAKICvDroxQhy2f4361IaxVZhrVXrjKndXrHdhwB+FxVWtqqxKsGgp/lv0agtJeX63R9dC/w71/mA//JKWN+MOzOtSmhw8Z8dC+r4wr8fxo1ccxFsV+NJBswZ2NXd15a+04IwJ0YTJXkQW4d1sZScCWMSq9tRIj3TupWgxmh2jDySGOVQTi2SYs/2mg0wMNzu7yf4BY9XuH+CAJr8HbPWW57ss+mqKxEGARh8hmChw5pE0nm/5Nmf4EMuJEJrYpZgdbb1ndvo5uyKPTBWBpWZZKfFV/UdOjAvVTluApVc6hGmhOEY1X/clkHqyhmrAe8RN/6QWtaM51qFmZpW2AbxCK+ZqWU2874CKZXGfAFFp4q/NnMFX0kv0LKC+/AJYr4+jN3OzSuAe1p6XbRvUQ8YB/KFMZ7rj6mJn1nG7CJnJLMh7+Bj0YVpeJ1KJrqgWNu8EHpVAnJCWAVXZK56YY6+aY6helBWEv2kvmVP2f34EkDsXscbPrUs/eAJwMeA94yvsNts10KiLTxcB0vH5+tk1aD8Vft
X-Forefront-Antispam-Report-Untrusted: CIP:52.101.61.136;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DM1PR04CU001.outbound.protection.outlook.com;PTR:mail-centralusazon11020136.outbound.protection.outlook.com;CAT:NONE;SFS:(13230040)(34036016)(586017)(7416014)(376014)(35042699022)(48200799018)(61400799027)(69100299015);DIR:OUT;SFP:1102;
X-ExternalRecipientOutboundConnectors: 229e6f25-d8cf-4d00-bedf-3f6513ec3f0b
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH7PR22MB5062
X-EOPTenantAttributedMessage: 35163b8b-4c4e-4e19-b243-f07c1a6a27f0:0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: SJ1PEPF000023D8.namprd21.prod.outlook.com
X-MS-Exchange-Transport-CrossTenantHeadersPromoted: SJ1PEPF000023D8.namprd21.prod.outlook.com
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id-Prvs: 2e33bed3-db7e-4df2-aca6-08dcbdf87c30
X-Moderation-Data: 8/16/2024 1:43:16 PM
X-LD-Processed: 35163b8b-4c4e-4e19-b243-f07c1a6a27f0,ExtAddr
X-Microsoft-Antispam: BCL:0;ARA:13230040|35042699022|48200799018|69100299015|61400799027|376014|7416014;
X-Microsoft-Antispam-Message-Info: 7PZuOGfIkCRZ2+vcoHQQhEJ0pcPulG3Nz6uM+iP8rAzMUk1OC7zOe5PQ4OhDxlTib/wr18Y6X2HY9eQsFILJ7yot1v8tN1sq4G9LEw1rlDbkB2UJUNeGw8caK0m1wADs79nwxX2zhMNYuftHqJKzD2HpdqW2+ZJygT8wrco7KCdxSLiWxjVEQUvB7TjVv4mP9i9r70azuEqbRq58R8VUSxamyfzDh4MaSQG0eyvt1GYjAOzNuCmerWw7WCwT/yXThcS0BQzVmNH+rvQPHlHABs3kLayc2atQETPixErH8ayw7v+/7rbhuadk31nqeaJjMqM9KGLdK9kotDZHyFS71lf1jHsDh3lEDEAeKIk/Z9RLBFpKi3Qe5HDrO6UYCT5kvu67fJortW52T+hEIPwXPk7Lxiou2T+ecM+fa8dFRWEa0nlxLV5hBie5TBgJM0rqyLyN9HrneBA7xWUuUG6zYL28TXj3GpcNZ3ZXoysqZ/aaFHsQcqCY3FqB/adOM5LFITuUsD34IGvOiDf+72b+t3WPqmfa9OkQ8LOG9fZ8h4tYry6vgmu0QeRnuNGvxwh49g2fdL8CSzbELotfDyJvYI84tWPyo8ouLiawmL1lDRxlOXGJKPUDJdXEBrf10Y/2V28I70puRd9FvAIcRPeAtuj071nLNh5dxwJln9uiptk4Y6SRvKKgsxsH6lvsK9QYv4Ux4d/8NLgrlXfnkqhpg2Ya5TUW8f+Mu8EHmUFDMD184gRI3tj6CY31k92L9JpcBmjX7Dz+YPIEHRB67skZ22wXP441H/LoJjpUTn4ypoGg5V/j4NohxUICvmYJDtQRgJxLdnUJFKMQBb2tJi63yl3PiqGiVIw1biieqQPWxgpzNxFvKYDNa4M54jedoSw8yzSKYjZF946BHorYQcSVW+9hUJt37SWuddaRBdQye6YGkg7ucv6Lx7K48cdiLiMCjBGd9PY0KZnt38CpsQbMRgSb9J3+ZENcEpazUfk5SLM8yXC17z5/6oEG7aGAxFHrlblR9+SNZ28RIxKlwq/u5M7v7iXWyet18BAV1rymBOH/kgX67Xe2Xz5FpZel0Pc1M5DOO+yV35Fp5eVeItyF0sPbDpQYBy3fWX46Sx+LXMIuOAdN5xcivcUQolN2tC/KkAJT9/Xq2nvxaZhR4GS335DJYnMa/R+nudZihDSy/S/wsGCIly+zoGX7/2YMwJXV/DuWn2qKjfkqIp8+HSxyv3igYJx42BKfHxVauOPpksyfSgM0g9sAhPTr5zkADIqVuHjHHOAxxGMfUhkY/L4AGB9RmL/jWeL1HRp6UYAOgWAfzjvgkyRovkVRTPOvc57+pEzxPjBa/6QfNyw/rF5Abg==
X-Forefront-Antispam-Report: CIP:40.107.237.100;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:NAM12-BN8-obe.outbound.protection.outlook.com;PTR:mail-bn8nam12on2100.outbound.protection.outlook.com;CAT:NONE;SFS:(13230040)(35042699022)(48200799018)(69100299015)(61400799027)(376014)(7416014);DIR:OUT;SFP:1102;
X-OriginatorOrg: NETORGFT13999698.onmicrosoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 75dbd73f-d123-4351-d9a3-08dcbdf88006
X-MS-Exchange-CrossTenant-Id: 35163b8b-4c4e-4e19-b243-f07c1a6a27f0
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=72f988bf-86f1-41af-91ab-2d7cd011db47;Ip=[20.97.34.221];Helo=[mail-nam-cu04-sn.southcentralus.cloudapp.azure.com]
X-MS-Exchange-CrossTenant-AuthSource: SJ1PEPF000023D8.namprd21.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 16 Aug 2024 13:43:18.4797 (UTC)
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: TNqK0lMTbi5b9cLoJTq/GHEbYe4wyHYBhmT/1ejLVVqUrkYvOp19tSX71DdMDrGM9MvLXtV17oPeyLQiXpE+TUD9aAQPT1RQ4791E6c+gJaiRzGnp0fhqPj2msilb1c8Gepa3+KYNaDh5dIr7TI20sGkcYqilLDhHWJFtGRMMNtrcm2OXKZwAGSx/79mel9dvow4DbPSMu+bc8chuPwp8wxfxutdb4dnOpQ/6UGAAYyHbJNN0NhrYiHJfNTuQEgUS0PzWnX9mbCP11mngn02pA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH8PR11MB6976

There’s a lot of information here that is meaningless to most of you. But I am going to point out a few clues that indicate how the threat actors are pulling this off. Starting with this:

Return-Path: reply+SRS=Vuioy=PP=microsoft.com=azure-noreply@merchantsales.onmicrosoft.com

The word Azure is a big hint as it suggests that the threat actors are sending this using an Azure hosted environment. Azure is Microsoft’s cloud infrastructure. Similar to Amazon Web Services or AWS. There are similar hints that this is case. Such as this one:

X-Forefront-Antispam-Report-Untrusted: CIP:52.101.61.136;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DM1PR04CU001.outbound.protection.outlook.com;PTR:mail-centralusazon11020136.outbound.protection.outlook.com;CAT:NONE;SFS:(13230040)(34036016)(586017)(7416014)(376014)(35042699022)(48200799018)(61400799027)(69100299015);DIR:OUT;SFP:1102;

This hints that it took a trip through Microsoft’s Forefront product which checks inbound and outbound emails for threats such as viruses. Note that it rated this email as “untrusted”. Then there’s this one:

CIP:20.97.34.221;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail-nam-cu04-sn.southcentralus.cloudapp.azure.com;PTR:mail-nam-cu04-sn.southcentralus.cloudapp.azure.com;CAT:NONE;SFS:(13230040)(240411011799012)(36860700013)(69100299015)(376014)(82310400026)(1800799024)(36002699022);DIR:OUT;SFP:1102;

The sn.southcentralus.cloudapp.azure.com is part of Microsoft’s Azure infrastructure. If I remember correctly, it’s somewhere in Texas. I could go on, but I think you see where I am going with this. In short, the threat actor has used a Microsoft Azure instance to set up the outbound email part of this scam knowing that because it’s coming from Microsoft’s own infrastructure, it will hit the inbox of the recipient. This is confirmed here:

ARC-Authentication-Results: i=6; mx.google.com;dkim=pass header.i=@microsoft.com header.s=selector2 header.b=V0jLNQ7L;dkim=pass header.i=@microsoft.com header.s=s1024-meo header.b=UBZKKpiY;arc=pass (i=5 spf=pass spfdomain=merchantsales.onmicrosoft.com dkim=pass dkdomain=microsoft.com dkim=pass dkdomain=microsoft.com dmarc=pass fromdomain=microsoft.com);spf=pass (google.com: domain of bounces+srs=yjgow=pp@netorgft13999698.onmicrosoft.com designates 2a01:111:f403:2415::724 as permitted sender) 

This part of the header indicates because this scam email is being sent from Microsoft’s own infrastructure, it’s going to pass DMARC, SPF, and DKIM checks which would filter this sort of thing out. As evidenced by this:

Results: spf=pass

This:

dkim=pass

And this:

dmarc=pass

I have to admit that it is crafty for a threat actor to use Microsoft’s own infrastructure to send scam emails. And it illustrates how threat actors are evolving to try to bypass any guardrails and safeguards that might exist in order to try and get you to fall for their scam.

As for the phone number, I called it. You shouldn’t. But I did. I found that nobody picked up my call. A major company like Microsoft would have picked up the call. Highlighting that this is a scam.

After looking at all of this, I told the reader to report send the email that he got as an attachment to abuse@microsoft.com so that they can look at it. The reader also used Google Workspace’s “report phishing” option as he’s a Google customer when it comes to email. By doing both, I hope this scam gets shut down ASAP as I can see people falling for it.

This entry was posted on August 17, 2024 at 8:44 am and is filed under Commentary with tags Microsoft, Scam. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.