The IT Nerd

Elon Musk May Have To Sell More Tesla Stock To Keep Twitter Alive

Posted in Commentary with tags Twitter on August 18, 2024 by itnerd

A new report by Fortune paints a pretty grim picture for Elon Musk and his involvement in Twitter. Thing look pretty dire at Twitter. How dire you ask? How about this:

Musk’s repeated outbursts against advertisers have dried up the main source of revenue for the loss-making company formerly known as Twitter. A recent decision to sue them for heeding his own advice to not buy ads on the platform hasn’t helped. At some point, he will have to provide a fresh infusion of cash to salvage his $44 billion takeover. And that might mean Musk sells Tesla stock to raise the money—hurting anyone who holds the carmaker’s shares.

“I would be expecting something between $1 and $2 billion in stock,” said Bradford Ferguson, president and chief investment officer of asset manager Halter Ferguson Financial, in comments posted to YouTube on Wednesday. This alone could cause the stock to lose between 5% and 10% of its value. “It’s a massive hole they need to plug.”

If you’re a Tesla shareholder, that has to freak you out. After all, Elon has sold Tesla stock at least two times before to finance his shenanigans at Twitter. Here’s the specifics as to why he needs that money:

Ferguson based his assessment on internal second-quarter figures recently obtained by the New York Times. According to this report, X booked $114 million worth of revenue in the U.S., its largest market by far. This represented a 25% drop over the preceding three months and a 53% drop over the year-ago period.

That already sounds bad. But it gets worse. The last publicly available figures prior to Musk’s acquisition, from Q2 of 2022, had revenue at $661 million. After you account for inflation, revenue has actually collapsed by 84%, in today’s dollars.

No one knows how much longer X can survive, since the company doesn’t release financial results. But in November, Musk himself admitted X could face bankruptcy due to the advertiser boycott

So for a guy who loves to pay the game of FAAFO, it’s pretty clear that he’s in the “find out” phase of that. And what’s bad about this is that he’s completely willing to take Tesla, his shareholders and who knows what else down with him.

And I thought that Elon was supposed to be smart.

2 Comments »

A VERY Convincing Microsoft 365 Refund #Scam Email Is Making The Rounds

Posted in Commentary with tags Microsoft, Scam on August 17, 2024 by itnerd

A reader of this blog sent me this email that he thought was a scam email:

Now a bunch of things make this scam email very convincing:

The email address that this was sent from appears to come from Microsoft.
If you click on the “Go To Microsoft 365 Admin Center”, it actually takes you to the real Microsoft 365 Admin Center.
The look and feel of the email is very much like one that Microsoft would send.

The only thing that gave it away in terms of being a scam is that there is a phone number for a support helpline. Microsoft does not have any phone support.

So what this means is that this is likely a refund scam. Meaning that threat actors send out emails claiming that you’ve been billed for a product or service to thousands of people hoping that some will call in. At that point the threat actors will connect to their computer and try to steal as much money as they can.

What intrigued me is how were the threat actors able to get this email to hit this reader’s inbox. I asked the reader for the email header as any email that you send has information that details its path from end to end along with other information that would be useful to an email server in terms of determining if an email is spam or something like that.

Thus in an effort to illustrate what’s going on here, here’s the full headers that I received with some information redacted:

Delivered-To: REDACTED
Received: by 2002:a17:504:3f94:b0:1bfe:977f:4147 with SMTP id g20csp1188908njn;
        Fri, 16 Aug 2024 06:43:30 -0700 (PDT)
X-Forwarded-Encrypted: i=7; AJvYcCV81SM/CRIsstE+ArzN39KoZ2oigx7zrrZ3+m8LcY0IHa8JHgHjidVCkJMvWWgc3bLi9abUQ9NE1KZNlZYTgvg=
X-Google-Smtp-Source: AGHT+IH23r3S25jCDA4KiCgZLcKnxrY4PqFqTc+KWz26TvPfAwn3gdXuUuwUmIlHlMeZu6BPt9gf
X-Received: by 2002:a92:c261:0:b0:39b:3241:e982 with SMTP id e9e14a558f8ab-39d26d745b0mr34961605ab.25.1723815810010;
        Fri, 16 Aug 2024 06:43:30 -0700 (PDT)
ARC-Seal: i=6; a=rsa-sha256; t=1723815809; cv=pass;
        d=google.com; s=arc-20160816;
        b=TfuSWcu4LauRnn2B2HInZaZytDUWMqMeVrDW+IA3B1AC5XpzIZogn7S12MTujPs3DB
         EDgIRK2QGFcIBjEICnoXtC5OuT+LKCJPVk+vjc4VzrC5qG6yLfCat5+YdFIIlJWadG5M
         JwrQOk/YAYrAjNDHfbfDqAKplAlTbhwmXrCr2ZMf3XgTceCHnm+QI7HaHf8AA/OFFUXI
         F/Uhz+x7AgGL/P9ZqwLYeOMzPDWjVzlXpNJO5D8oIifP21nU5EdYKgeryWp9UH9xQBdX
         HBCXqvoCO2LLJ/kmECxqA9A91L6hhXpnnn+Z0bmwPWzFBLHFFkscprpVZvj0Jc4ARGmI
         Q4vA==
ARC-Message-Signature: i=6; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=mime-version:to:message-id:subject:date:from:dkim-signature
         :dkim-signature:authentication-results-original:resent-from;
        bh=1DRVH/p+Ncb0nmWC1EV3IUNwyNv4hoYQDPSQRvl39kg=;
        fh=u+4NNM9FiVktfFoWhpPOc5WraBPqVPVZz8is6x3rkA0=;
        b=fOYFPO+LNDgcdd4ziNW8ibjuWZUb46rsiiVAQw9a47aqIcQMvpf2tZCUlhPrONwF3e
         JtSPWIALpXuQN5LCkpK+1+IjTf2pvlE/fidSYyxN6IZ4t/xp0KucMQaSAC0bGuUWcNZ5
         xj+YpqPRcDPuyNDIpotxI/6xdSQp088EYf0CoEV3Ei9Ot/d3i0z4IyHR6CMeyGRqi8JR
         0m23FRK/PybVME5TjpxAQikH3/yt3v/yAGGYp+y20agpYpJf3z88hPGSDflrc5+/06zj
         sW22lg3r0OwwQ52vJ6BUFg1BVxIdW/RzeSkuvcNAMUlP5m7p6yAwxyvw/jQGL89A3G0A
         WTSA==;
        dara=google.com
ARC-Authentication-Results: i=6; mx.google.com;
       dkim=pass header.i=@microsoft.com header.s=selector2 header.b=V0jLNQ7L;
       dkim=pass header.i=@microsoft.com header.s=s1024-meo header.b=UBZKKpiY;
       arc=pass (i=5 spf=pass spfdomain=merchantsales.onmicrosoft.com dkim=pass dkdomain=microsoft.com dkim=pass dkdomain=microsoft.com dmarc=pass fromdomain=microsoft.com);
       spf=pass (google.com: domain of bounces+srs=yjgow=pp@netorgft13999698.onmicrosoft.com designates 2a01:111:f403:2415::724 as permitted sender) smtp.mailfrom="bounces+SRS=yjgOw=PP@netorgft13999698.onmicrosoft.com";
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=microsoft.com
Return-Path: <bounces+SRS=yjgOw=PP@netorgft13999698.onmicrosoft.com>
Received: from NAM11-DM6-obe.outbound.protection.outlook.com (mail-dm6nam11on20724.outbound.protection.outlook.com. [2a01:111:f403:2415::724])
        by mx.google.com with ESMTPS id 41be03b00d2f7-7c6b636fff7si3568330a12.599.2024.08.16.06.43.29
        for <REDACTED>
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Fri, 16 Aug 2024 06:43:29 -0700 (PDT)
Received-SPF: pass (google.com: domain of bounces+srs=yjgow=pp@netorgft13999698.onmicrosoft.com designates 2a01:111:f403:2415::724 as permitted sender) client-ip=2a01:111:f403:2415::724;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@microsoft.com header.s=selector2 header.b=V0jLNQ7L;
       dkim=pass header.i=@microsoft.com header.s=s1024-meo header.b=UBZKKpiY;
       arc=pass (i=5 spf=pass spfdomain=merchantsales.onmicrosoft.com dkim=pass dkdomain=microsoft.com dkim=pass dkdomain=microsoft.com dmarc=pass fromdomain=microsoft.com);
       spf=pass (google.com: domain of bounces+srs=yjgow=pp@netorgft13999698.onmicrosoft.com designates 2a01:111:f403:2415::724 as permitted sender) smtp.mailfrom="bounces+SRS=yjgOw=PP@netorgft13999698.onmicrosoft.com";
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=microsoft.com
ARC-Seal: i=5; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=pass; b=Ji0CyJSU2sA3+SpLxEZlkgamoXDki55de/cEK9H75PDf/IzMNo28o7SlxBAcxWydkvqnmHecf02ksBav3pTHx7BQwMCdUtXqFVXu1gqUWMr+aD0DAD3I+YvolOdpnFltIlZM4P59AYRCW1QFgTRgMBbN1E+FOl/Eg16yPjnCCI9jKLabr8cDxoXpNIxhv4dPaiZ30YnE4ur6m5wP7y8Lvkn29G14L+X9bVjGjP6S/btJWxk/K9fAr1b9zzoL8MdrzVc8FHmJwT4aAeJRJ/sHC87kQ+SHlENzETQ9AP26yBD3f2DlmJi/ZqUMdJxZBCi7XoYjdLw/GE4otr2UBaTJLQ==
ARC-Message-Signature: i=5; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=1DRVH/p+Ncb0nmWC1EV3IUNwyNv4hoYQDPSQRvl39kg=; b=d8TPu7A2Hu2WXRveGLV3o5pIZ3eBrghj/xxi6j9f7nRO5yJGW3WvJCyPX/yMmBGYzpTApu3VkL1lFsHmtSt7SbCOOr0Q2Kmovlz2XPpUJ2Os1dMLdnhse785WQ6Ii4tCEcccjg8OPm61meRW86Gn5btBjD2uqe7Yu8BtJbKWX4qnb8MXD/YAL+x6ACQzoluy89RBSLKlADSSQ3M7ayQKIPvaxkbVrAezUHA7xiezIskXdcG5zUIL07vf7PdBOqvrXV6vuCNuGw1ma8gqPhpy4v3Ejy8ZPBVmHc8mHN27URCPotDU3lx8nn+swDvDpSXRdUv0+KOl+X8D+4JTZJ0hJg==
ARC-Authentication-Results: i=5; mx.microsoft.com 1; spf=pass (sender ip is 40.107.237.100) smtp.rcpttodomain=trendequity.org smtp.mailfrom=merchantsales.onmicrosoft.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=microsoft.com; dkim=pass (signature was verified) header.d=microsoft.com; dkim=pass (signature was verified) header.d=microsoft.com; arc=pass (0 oda=1 ltdi=1 spf=[1,3,smtp.mailfrom=microsoft.com] dkim=[1,3,header.d=microsoft.com] dmarc=[1,3,header.from=microsoft.com])
Received: from CH0PR11MB8190.namprd11.prod.outlook.com (2603:10b6:610:188::5) by PH8PR11MB6976.namprd11.prod.outlook.com (2603:10b6:510:223::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7875.19; Fri, 16 Aug 2024 13:43:21 +0000
Received: from DM6PR11MB4187.namprd11.prod.outlook.com (2603:10b6:5:19e::32) by CH0PR11MB8190.namprd11.prod.outlook.com (2603:10b6:610:188::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7875.20; Fri, 16 Aug 2024 13:43:18 +0000
Received: from DM6PR11MB4187.namprd11.prod.outlook.com ([fe80::e455:f44c:3b7e:8ea2]) by DM6PR11MB4187.namprd11.prod.outlook.com ([fe80::e455:f44c:3b7e:8ea2%6]) with mapi id 15.20.7875.016; Fri, 16 Aug 2024 13:43:18 +0000
ARC-Seal: i=4; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=pass; b=IyivTBoWjDP5+EzGuqcuiDvrPTg2W3eAad7T3RaNS1BeMpjj1ISfpO767jFhJo+hFSm3gtQR+5zgsS14eMw0cVplcYkrfv0jsPu8ZqfGJfFfnJM2WDZEDg6BCdos+wZDt3Vy5CRD0enXrpFb3YpI84pqw501bdCC7arcZDKU5Cfm/340RqOsA1D7QKLlCrEzEcR2IAricypAEehKx8W/yeKLvYcl0EqnhioY6ltQXxBr1NEp7fFQBzCyKHgSU3jijWoPewIH4b3UbE1nKaSNRJDJyE/+p9uKofj5l9JSeV0QtqHQvB1plXxSG2wJ3d19tSOcx6NQsrOdQM5y6X+CIA==
ARC-Message-Signature: i=4; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=1DRVH/p+Ncb0nmWC1EV3IUNwyNv4hoYQDPSQRvl39kg=; b=r5Ds9OwJEG1UyAqy6AQhqBmivg51YDYg+BbHZKDecD+rC7FQ9Kq+r1qhZeZy+QIZRHu2oupl/7MS4XcU4gcwxujf4EQ8H97Jue0jBqoPEv5jkIly+pUWV+zL4siAsgx8SpFldBSfM1NM0Y/MEKT80baOqTx1vMAKTg22zvd/Q4jKy4aLv94b0HLpUytUjTY74XrN1yMm2ePX+GoW32v7KQqu0QCncH8Pjp1LXPu+3SkyKPAETkngi5HAYwbkkqLJkPjgxun+IoRfVhqvDRmhPe4co89+fRCWBfXsCez44KZ2Oscvx0ummBbDHm2uDW81DI7ukZ9JNXT+RmomXGe8qg==
ARC-Authentication-Results: i=4; mx.microsoft.com 1; spf=pass (sender ip is 40.107.237.100) smtp.rcpttodomain=trendequity.org smtp.mailfrom=merchantsales.onmicrosoft.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=microsoft.com; dkim=pass (signature was verified) header.d=microsoft.com; dkim=pass (signature was verified) header.d=microsoft.com; arc=pass (0 oda=1 ltdi=1 spf=[1,3,smtp.mailfrom=microsoft.com] dkim=[1,3,header.d=microsoft.com] dmarc=[1,3,header.from=microsoft.com])
Received: from BYAPR11CA0083.namprd11.prod.outlook.com (2603:10b6:a03:f4::24) by DM4PR11MB6360.namprd11.prod.outlook.com (2603:10b6:8:bd::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7875.20; Fri, 16 Aug 2024 13:36:58 +0000
Received: from SJ1PEPF000023D8.namprd21.prod.outlook.com (2603:10b6:a03:f4:cafe::54) by BYAPR11CA0083.outlook.office365.com (2603:10b6:a03:f4::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7828.33 via Frontend Transport; Fri, 16 Aug 2024 13:36:58 +0000
Authentication-Results: spf=pass (sender IP is 40.107.237.100) smtp.mailfrom=merchantsales.onmicrosoft.com; dkim=pass (signature was verified) header.d=microsoft.com;dmarc=pass action=none header.from=microsoft.com;
Received-SPF: Pass (protection.outlook.com: domain of merchantsales.onmicrosoft.com designates 40.107.237.100 as permitted sender) receiver=protection.outlook.com; client-ip=40.107.237.100; helo=NAM12-BN8-obe.outbound.protection.outlook.com; pr=C
Received: from NAM12-BN8-obe.outbound.protection.outlook.com (40.107.237.100) by SJ1PEPF000023D8.mail.protection.outlook.com (10.167.244.73) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7897.4 via Frontend Transport; Fri, 16 Aug 2024 13:36:57 +0000
ARC-Seal: i=3; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=pass; b=isJzNOZrZwA7Xr5bxG0qOy4ivJq/v9mA7WtOqMOZHPzIxIoTd5pxuMC/Lq36JLVhzEJG5EBz4e7NsuCjguzlN0t2ylLhmS4f8AiLe2mHJ61ynJ28A7ivXe0MEfkG9F6WokjNOH/1nKKiYxETfoQJAk60uND6oT9AcY+QkIKafmyo7q6jiQc08VRSuTjQc0l8wAH1MswjQeNeKY2gvTvMkkMGInT2pxJ2guGgRZ9UTRgofPYvuuCSDZAkCjUQ7oM7cqtyoG4V4gK00Bg6PR1kq7awWmci6NQ03QMXa96H7aiygnMxQph4kL4dKbQqrBJu1Keqsiyi7I72D7sV73gkIA==
ARC-Message-Signature: i=3; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=1DRVH/p+Ncb0nmWC1EV3IUNwyNv4hoYQDPSQRvl39kg=; b=JLGf+Jw4DoZkWn07nHEf4c/xF0JjA6mtEGPc1F4Q8k44xFoHkTwIaXbMFF5DaLK4EaEOcURD+VsGwaSS19D0Y89om1l4ICzOntk6O0D6+UZG4lN5M15SUYwTS1EAsdXIgcLf8zChpu83TzjmDnozAZznzOZU5KEXp/bkocEBc5L3zlYjBaULkXltR2VJT9p4eRMW3K4bqERT0TZ5CZD4im3/4GiftPTsfx99l1Jav9teubV14MvOEywvxlmjugLIQAjz1HiphAep/RxAG5DIxCzXZUgJAHkC/beSDqYNG585/ObL/LEB40wOwQmUeg0PNtr4JJQycULGEkYxHhEIPw==
ARC-Authentication-Results: i=3; mx.microsoft.com 1; spf=pass (sender ip is 52.101.61.136) smtp.rcpttodomain=merchantsales.onmicrosoft.com smtp.mailfrom=microsoft.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=microsoft.com; dkim=pass (signature was verified) header.d=microsoft.com; dkim=pass (signature was verified) header.d=microsoft.com; arc=pass (0 oda=1 ltdi=1 spf=[1,1,smtp.mailfrom=microsoft.com] dkim=[1,1,header.d=microsoft.com] dmarc=[1,1,header.from=microsoft.com])
Resent-From: <notification@merchantsales.onmicrosoft.com>
ARC-Seal: i=2; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=pass; b=DRrt4WaGKyoiMML6eb3SUwKLOq08R8bGVYB/L0QVlm3wcdm1XF/iQrj/RUS7YLnKlbIg0GH3KQNtpyOOzQnrCfm1mwbufpgpEcbjvFjEqAEtzzOU4V9ypfzuQEVEm7Cc78qZfdzJ50Hd8LgyA5vzscQFOJ8J1FQnb/S4M4AyVuhTYAtw8LFASe6GrJM82xQNWucTz82hmjBX1BONDgxYeeqVSBb6A+kmbj3M+5wcdQqXoZN5TC7R/cxuqZ40rCBYz2vz6+s74Z1X+SzYJnwZ21MDocRRX7fQhBwHwsdUKtckZMdk8UAdW5qjaDogoZzdTyI59J91KzvKD+gdfJn2Ug==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=1DRVH/p+Ncb0nmWC1EV3IUNwyNv4hoYQDPSQRvl39kg=; b=g44v04/jeUniwLVld3n/6yh2nL45f+/OxI7yaXQedI85nRqtFrffhDNyMDl5Cj940rCVZZdViy0T9NosHJB9X4FGMV5g8NmrDoRwMCQIqunPNtG55KFuDGxAJscrZQcns/2zuiqgl1aq7Ei0g977GG8XQa9fivDMY8f+VNpeNCEID2ibd6YyXsOrH/Okb5OoGqr8BmXLzZorgM52sf3YJwluPUab7pLsxJOGZff+u4PoVhlJ+BFPKXJgC7cy6VRbJs3AIM2u6w/rWwfz4x0Tanp1Uy+AOKI+suaK6wSt2atjMAhMF6NbxsdmmriB8qikoDybhtNZb4SkX0/Ea85Vyg==
ARC-Authentication-Results: i=2; mx.microsoft.com 1; spf=pass (sender ip is 52.101.61.136) smtp.rcpttodomain=merchantsales.onmicrosoft.com smtp.mailfrom=microsoft.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=microsoft.com; dkim=pass (signature was verified) header.d=microsoft.com; dkim=pass (signature was verified) header.d=microsoft.com; arc=pass (0 oda=1 ltdi=1 spf=[1,1,smtp.mailfrom=microsoft.com] dkim=[1,1,header.d=microsoft.com] dmarc=[1,1,header.from=microsoft.com])
Received: from PH7P220CA0015.NAMP220.PROD.OUTLOOK.COM (2603:10b6:510:326::20) by PH7PR22MB5062.namprd22.prod.outlook.com (2603:10b6:510:312::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7875.18; Fri, 16 Aug 2024 13:36:51 +0000
Received: from MWH0EPF000A6733.namprd04.prod.outlook.com (2603:10b6:510:326:cafe::2) by PH7P220CA0015.outlook.office365.com (2603:10b6:510:326::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7875.19 via Frontend Transport; Fri, 16 Aug 2024 13:36:51 +0000
Authentication-Results-Original: spf=pass (sender IP is 52.101.61.136) smtp.mailfrom=microsoft.com; dkim=pass (signature was verified) header.d=microsoft.com;dkim=pass (signature was verified) header.d=microsoft.com;dmarc=pass action=none header.from=microsoft.com;
Received-SPF: Pass (protection.outlook.com: domain of microsoft.com designates 52.101.61.136 as permitted sender) receiver=protection.outlook.com; client-ip=52.101.61.136; helo=DM1PR04CU001.outbound.protection.outlook.com; pr=C
Received: from DM1PR04CU001.outbound.protection.outlook.com (52.101.61.136) by MWH0EPF000A6733.mail.protection.outlook.com (10.167.249.25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7849.8 via Frontend Transport; Fri, 16 Aug 2024 13:36:51 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=AvyM0FlxgT9SVxijT8tW0np3V9uiRpjFfHotFChyp9BMlncIf4Hl00T9mxKzXH56MByamyvAnJ5GBhvaHhoYHr+j04+w6DCt0gxFHptIuYoVa5b89ZPtcrrhukV3WQ1eJJ9pR+C26Ud7xzLBtR/fq0lJXBLVLexID8Cza0nFJoYej2fgA/2QL7mpU6chmw8D3+CLBRGO7IXVh6jTuD2U8Ls20N+gtQCu+siwP2AAw0O+zkbn9Y0bwFWz382Z/Jy5SB0VQhfdBatnM6eTQu+0uHe+SryGxVpDbtA7xKPLaYl/Cy45tGXiNLFGiP/1YWF4krqSrNz6JZblYIjl/zYFfg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=1DRVH/p+Ncb0nmWC1EV3IUNwyNv4hoYQDPSQRvl39kg=; b=sWSleCpJwWIGLaz4N9y0Lthfugbg4WYoWQibVxI9g4yb++6KOYO97mXz3VMgHcwBPKL7i6yEg4UQH7EpJrpFYSprjtZ//3gqrP0nNZuWaWGN8br09mqbUz0hIViKQhuNBlCEEBYspyV9b8ZE1JGGipETP6qKqkpEGulu3iId0sFAYcIddJQxyW7UkArwNdPVarRVhZ643HbWPuiEYgSXemcsxmkoH5CHPBZ6rv7/cAw/sbwKdoBI2W/Bj6GzjKRNHhP2Fzkaz31XNjNAYBgOKY5Od6zfSYe+pKAfPOp/EUYm3O1lQoKsOuIVY1jW4VfsoJXSvgz8yvVQpPFARzwXRw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 20.97.34.221) smtp.rcpttodomain=merchantsales.onmicrosoft.com smtp.mailfrom=microsoft.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=microsoft.com; dkim=pass (signature was verified) header.d=microsoft.com; arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=1DRVH/p+Ncb0nmWC1EV3IUNwyNv4hoYQDPSQRvl39kg=; b=V0jLNQ7LkoODwqICDAY2ZF7ia+g4glgQr9DQ/TKgmcnmgTnE8sMj3avExUXePg15WGgI4HgfXMM8hiBb4ic7GGY8cOyVkf82RqWoKsj8gu39myRpIeKtZORbvek4N0BOv1TufeYdn3oLUVvywhkFojX4KTesm0ALLhDzCBpZzpI=
Received: from CH0PR04CA0113.namprd04.prod.outlook.com (2603:10b6:610:75::28) by DM4PR21MB3345.namprd21.prod.outlook.com (2603:10b6:8:6b::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7897.11; Fri, 16 Aug 2024 13:36:46 +0000
Received: from CH2PEPF00000144.namprd02.prod.outlook.com (2603:10b6:610:75:cafe::b4) by CH0PR04CA0113.outlook.office365.com (2603:10b6:610:75::28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7849.23 via Frontend Transport; Fri, 16 Aug 2024 13:36:46 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 20.97.34.221) smtp.mailfrom=microsoft.com; dkim=pass (signature was verified) header.d=microsoft.com;dmarc=pass action=none header.from=microsoft.com;
Received-SPF: Pass (protection.outlook.com: domain of microsoft.com designates 20.97.34.221 as permitted sender) receiver=protection.outlook.com; client-ip=20.97.34.221; helo=mail-nam-cu04-sn.southcentralus.cloudapp.azure.com; pr=C
Received: from mail-nam-cu04-sn.southcentralus.cloudapp.azure.com (20.97.34.221) by CH2PEPF00000144.mail.protection.outlook.com (10.167.244.101) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.7849.8 via Frontend Transport; Fri, 16 Aug 2024 13:36:45 +0000
DKIM-Signature: v=1; a=rsa-sha256; d=microsoft.com; s=s1024-meo; c=relaxed/relaxed; i=microsoft-noreply@microsoft.com; t=1723815405; h=from:subject:date:message-id:to:mime-version:content-type; bh=1DRVH/p+Ncb0nmWC1EV3IUNwyNv4hoYQDPSQRvl39kg=; b=UBZKKpiYDf2p/KxxPFGwvnXMRjaNpMAU2QLNOgp/jX2IL6YC9/C+iC9TOKPNzv6ZMZ/VbQT8FSu OTbgm3nlE2Z4QNDEVPhg0dtlxEIq0ekPNMunTXNMKbvCmOEbsTwfCwyCcK5bXUiqMiX/qmBo+I/jY 2S6RuDg7SlC/vbvAfNU=
From: Microsoft <microsoft-noreply@microsoft.com>
Date: Fri, 16 Aug 2024 13:36:45 +0000
Subject: Your Microsoft order on August 16, 2024
Message-ID: <1f146af7-4393-4815-958b-64498d68a06f@az.southcentralus.microsoft.com>
To: notification@merchantsales.onmicrosoft.com
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="=-QmAKbw7keMAjIz55DOIJ/Q=="
Return-Path: reply+SRS=Vuioy=PP=microsoft.com=azure-noreply@merchantsales.onmicrosoft.com
X-EOPAttributedMessage: 2
X-MS-TrafficTypeDiagnostic: CH2PEPF00000144:EE_|DM4PR21MB3345:EE_|MWH0EPF000A6733:EE_|PH7PR22MB5062:EE_|SJ1PEPF000023D8:EE_|DM4PR11MB6360:EE_|CH0PR11MB8190:EE_|PH8PR11MB6976:EE_
X-MS-Office365-Filtering-Correlation-Id: 75dbd73f-d123-4351-d9a3-08dcbdf88006
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam-Untrusted: BCL:0;ARA:13230040|240411011799012|36860700013|69100299015|376014|82310400026|1800799024|36002699022;
X-Microsoft-Antispam-Message-Info-Original: X7O+VKtnAGxSUxUJT3g+8GXKOWyRASZFTRv8T75FA+rkgVX8GpH5jnwaIOFWMr15esuql8JQhn/H2xixXEbEZWhtFmmrCJEHnz09rpWWlgwCChijJTZKq7U5pMBKCLrYqtZdxMQW+3lJK4iGR8pcyAzG2gn3uDeNAeLREJW7RmN/++UPcS0TNWIKxkWCpg7mpaUEmMPN931KiC0cbYH7Wq8WbAl3eUpSoZqG8jhHxm7lpfaADJZcLN/Yu/l5EL4gjElyizRL8H8ryFDXIkGgrARhq8NOez4ur7K7MkezZ/7g+/0QtZNeZi0Q6QSgD1RH+15Fk5KPMGdv0N2sagaxw2jXSaLyjX1IvE+lIR6RG4dPboGl3gSOsE5URGNQ9c74gY+gwLK3wOZKEWpRGtf34k+4ATDPP/q4RNK8KxUDGlMyHZ4gwq/R6LFb8lNyvyB164lXQjYbpAZaxf2OFgrldw6wqqnemUNxVpxhDeL7Z7NOCCEVD0kUF+nkdwoeReUZwJhG5BzJwrn2L7lMxSZOtuHAVawEWkxOmmnAHci+an5uAT1eCQFY0ZY3AXRdf5lc3AS61ati0GxQd5smS6KIsisyer5tUyclV2IIecLSw4sXawcveRlrgmtLZKNyBlvxetndu5ISF4dGiNpZA8JfiKSlm+xsHgp5SX74j/v/uQt1sZPK8+6srdJFBCxtsSCIcFm28SjeuaNL5xQjvUWx68KMQMhtGldEnaEdZIhFf9KVkfuqCqzv793IDPi9JHFTILvpXmEabigWnwTNMa7+HC12pLCjXEEP0lvr8rPFm9LTM29Ccg9IRP6FdnD3yYUin4r334spxLnp4MhfqDiGj+BtVtiCcajz2mKJ+BRctNOWeLoe6Q0TB5rljqcb0slk6yTbxXQGxogPXivoZFsMVT1t9nva+xybM6RsRxajvYdVxvQ/GVxbb3uclZSNZudbN63m/iKO7fPZxEEnXi3HesaMm4XH7ZKGYlxruCRHx3umVW2FaiKZ/pidYYworh2IdTXjUbdGhsx2N5E4DycQWmuHB2GqTO12xCVC1sj5X+vrcJDWK92ayoLlADSIj35BbjzxHa6nWN46+Gghdg/p4e2yj33hSC1kVVC5fMx2WuCJTtVHLGo29VBguIxwW35wTuCXkdAxmdRctApmcw7NRZhkmF+uUkN9rBh4cCUzLDbUJ41lKPpb5j2DJvmatcvGpl6eFa5jMi8AD7WDTWqBE7HBcy9f74Easlf6fAPtp9ULETPMf0t2fyrTxYfdvudxWQRyvFeAAQGJH9/hgwEpCdaDMDvLw/nH/1v6JIEKBaSvpqNDxI5rcf4jzfQSZ01l8MrhwR10nNqIJuM92nAMJgCs5LnuVc5tQNmQ+U9z/+RLcKg/ch5noRf53H8i+0+HeS1DTzjZFDrTFnJG+uHRZmSOxxXIjSwCvJla8o7/Ey0=
X-Forefront-Antispam-Report-Untrusted: CIP:20.97.34.221;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail-nam-cu04-sn.southcentralus.cloudapp.azure.com;PTR:mail-nam-cu04-sn.southcentralus.cloudapp.azure.com;CAT:NONE;SFS:(13230040)(240411011799012)(36860700013)(69100299015)(376014)(82310400026)(1800799024)(36002699022);DIR:OUT;SFP:1102;
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM4PR21MB3345
X-MS-Exchange-Transport-CrossTenantHeadersStripped: MWH0EPF000A6733.namprd04.prod.outlook.com
X-MS-Exchange-Transport-CrossTenantHeadersPromoted: MWH0EPF000A6733.namprd04.prod.outlook.com
X-MS-Office365-Filtering-Correlation-Id-Prvs: 5c556704-ff26-4c12-336c-08dcbdf87910
X-LD-Processed: 229e6f25-d8cf-4d00-bedf-3f6513ec3f0b,ExtAddr,ExtFwd
X-Microsoft-Antispam-Untrusted: BCL:0;ARA:13230040|34036016|586017|7416014|376014|35042699022|48200799018|61400799027|69100299015;
X-Microsoft-Antispam-Message-Info-Original: 7onlANrFwwsDGY5F4zLxXslD7h/4HXiAJr1HfIVQtB49dE+55iPq6IU9rXYnP0UDnVCczyfAh3qZveVDvO5ZJ6qfGLNySlPbHV+XOeyfevWxBIXUVx0c++6JDXS1K2YJCmgs4CkqMaLLn67FucboHF3tNOQ61Xu4xZjohzn6bKOMjDtzOb+At3Mo3j5look9tc1Rha88pspFHVVTHvJ5gLWnmOziBfsZ1ZYSodqDuLQtG0t1JoLOOfSquxXesfSHrWE7jp04QlIPJCvFNfOquHta02DOb20A6A9tpOYnom6iKqTq6Vrvjhsic94faGO9V13j3gzaXxH8QOCMjUBft7Sab1jo00CyYxf9t+QRg70BhxwjALiD6KyfSZVmJr5h1Akg75Kb6w5Rv0Dr+pO2qmgkGvZeggT+ubz7Im2gTHwllBhOJ6UF1ZFxv5z3WwI6pm9Itab7zDvDAPMdEwQpLH/kQDh4d7ABDYv3OGYRJEzOByKYorkuuus3wZgR4JBWZGRb0u6L7+gMYGY8h8UWr/yzBa81zzWHKidq1xRbmpp+sN/tAF5davLrh7+pTWoohq4j3VcYJBUVRkcTtNqfVetg8bzh07Px4GddsYzMl0cPk1KBD0zPbVDCBmDppH5fbpwepZi3XPszzGHYvarHzjatwmvR3nX3pXaC1L0WzPLJ8DFKBUSl6ipT1DAEKNc5l4l9B9A2SYCi4wQRRzVy7JdakYtjLU1IghbP2i7239Ef9BxnoQGQ/gstbR1ETDId572sPyVRb/B4RvBYblcpL1m4fnp2E98K7HqAzDUmuzC75Sz11ZZ0oDVuQQmpXAyKUMNEyBZOsGP4H8+k3IP/RE0H+Zj94pCsSMAcQAKICvDroxQhy2f4361IaxVZhrVXrjKndXrHdhwB+FxVWtqqxKsGgp/lv0agtJeX63R9dC/w71/mA//JKWN+MOzOtSmhw8Z8dC+r4wr8fxo1ccxFsV+NJBswZ2NXd15a+04IwJ0YTJXkQW4d1sZScCWMSq9tRIj3TupWgxmh2jDySGOVQTi2SYs/2mg0wMNzu7yf4BY9XuH+CAJr8HbPWW57ss+mqKxEGARh8hmChw5pE0nm/5Nmf4EMuJEJrYpZgdbb1ndvo5uyKPTBWBpWZZKfFV/UdOjAvVTluApVc6hGmhOEY1X/clkHqyhmrAe8RN/6QWtaM51qFmZpW2AbxCK+ZqWU2874CKZXGfAFFp4q/NnMFX0kv0LKC+/AJYr4+jN3OzSuAe1p6XbRvUQ8YB/KFMZ7rj6mJn1nG7CJnJLMh7+Bj0YVpeJ1KJrqgWNu8EHpVAnJCWAVXZK56YY6+aY6helBWEv2kvmVP2f34EkDsXscbPrUs/eAJwMeA94yvsNts10KiLTxcB0vH5+tk1aD8Vft
X-Forefront-Antispam-Report-Untrusted: CIP:52.101.61.136;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DM1PR04CU001.outbound.protection.outlook.com;PTR:mail-centralusazon11020136.outbound.protection.outlook.com;CAT:NONE;SFS:(13230040)(34036016)(586017)(7416014)(376014)(35042699022)(48200799018)(61400799027)(69100299015);DIR:OUT;SFP:1102;
X-ExternalRecipientOutboundConnectors: 229e6f25-d8cf-4d00-bedf-3f6513ec3f0b
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH7PR22MB5062
X-EOPTenantAttributedMessage: 35163b8b-4c4e-4e19-b243-f07c1a6a27f0:0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: SJ1PEPF000023D8.namprd21.prod.outlook.com
X-MS-Exchange-Transport-CrossTenantHeadersPromoted: SJ1PEPF000023D8.namprd21.prod.outlook.com
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id-Prvs: 2e33bed3-db7e-4df2-aca6-08dcbdf87c30
X-Moderation-Data: 8/16/2024 1:43:16 PM
X-LD-Processed: 35163b8b-4c4e-4e19-b243-f07c1a6a27f0,ExtAddr
X-Microsoft-Antispam: BCL:0;ARA:13230040|35042699022|48200799018|69100299015|61400799027|376014|7416014;
X-Microsoft-Antispam-Message-Info: 7PZuOGfIkCRZ2+vcoHQQhEJ0pcPulG3Nz6uM+iP8rAzMUk1OC7zOe5PQ4OhDxlTib/wr18Y6X2HY9eQsFILJ7yot1v8tN1sq4G9LEw1rlDbkB2UJUNeGw8caK0m1wADs79nwxX2zhMNYuftHqJKzD2HpdqW2+ZJygT8wrco7KCdxSLiWxjVEQUvB7TjVv4mP9i9r70azuEqbRq58R8VUSxamyfzDh4MaSQG0eyvt1GYjAOzNuCmerWw7WCwT/yXThcS0BQzVmNH+rvQPHlHABs3kLayc2atQETPixErH8ayw7v+/7rbhuadk31nqeaJjMqM9KGLdK9kotDZHyFS71lf1jHsDh3lEDEAeKIk/Z9RLBFpKi3Qe5HDrO6UYCT5kvu67fJortW52T+hEIPwXPk7Lxiou2T+ecM+fa8dFRWEa0nlxLV5hBie5TBgJM0rqyLyN9HrneBA7xWUuUG6zYL28TXj3GpcNZ3ZXoysqZ/aaFHsQcqCY3FqB/adOM5LFITuUsD34IGvOiDf+72b+t3WPqmfa9OkQ8LOG9fZ8h4tYry6vgmu0QeRnuNGvxwh49g2fdL8CSzbELotfDyJvYI84tWPyo8ouLiawmL1lDRxlOXGJKPUDJdXEBrf10Y/2V28I70puRd9FvAIcRPeAtuj071nLNh5dxwJln9uiptk4Y6SRvKKgsxsH6lvsK9QYv4Ux4d/8NLgrlXfnkqhpg2Ya5TUW8f+Mu8EHmUFDMD184gRI3tj6CY31k92L9JpcBmjX7Dz+YPIEHRB67skZ22wXP441H/LoJjpUTn4ypoGg5V/j4NohxUICvmYJDtQRgJxLdnUJFKMQBb2tJi63yl3PiqGiVIw1biieqQPWxgpzNxFvKYDNa4M54jedoSw8yzSKYjZF946BHorYQcSVW+9hUJt37SWuddaRBdQye6YGkg7ucv6Lx7K48cdiLiMCjBGd9PY0KZnt38CpsQbMRgSb9J3+ZENcEpazUfk5SLM8yXC17z5/6oEG7aGAxFHrlblR9+SNZ28RIxKlwq/u5M7v7iXWyet18BAV1rymBOH/kgX67Xe2Xz5FpZel0Pc1M5DOO+yV35Fp5eVeItyF0sPbDpQYBy3fWX46Sx+LXMIuOAdN5xcivcUQolN2tC/KkAJT9/Xq2nvxaZhR4GS335DJYnMa/R+nudZihDSy/S/wsGCIly+zoGX7/2YMwJXV/DuWn2qKjfkqIp8+HSxyv3igYJx42BKfHxVauOPpksyfSgM0g9sAhPTr5zkADIqVuHjHHOAxxGMfUhkY/L4AGB9RmL/jWeL1HRp6UYAOgWAfzjvgkyRovkVRTPOvc57+pEzxPjBa/6QfNyw/rF5Abg==
X-Forefront-Antispam-Report: CIP:40.107.237.100;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:NAM12-BN8-obe.outbound.protection.outlook.com;PTR:mail-bn8nam12on2100.outbound.protection.outlook.com;CAT:NONE;SFS:(13230040)(35042699022)(48200799018)(69100299015)(61400799027)(376014)(7416014);DIR:OUT;SFP:1102;
X-OriginatorOrg: NETORGFT13999698.onmicrosoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 75dbd73f-d123-4351-d9a3-08dcbdf88006
X-MS-Exchange-CrossTenant-Id: 35163b8b-4c4e-4e19-b243-f07c1a6a27f0
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=72f988bf-86f1-41af-91ab-2d7cd011db47;Ip=[20.97.34.221];Helo=[mail-nam-cu04-sn.southcentralus.cloudapp.azure.com]
X-MS-Exchange-CrossTenant-AuthSource: SJ1PEPF000023D8.namprd21.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 16 Aug 2024 13:43:18.4797 (UTC)
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: TNqK0lMTbi5b9cLoJTq/GHEbYe4wyHYBhmT/1ejLVVqUrkYvOp19tSX71DdMDrGM9MvLXtV17oPeyLQiXpE+TUD9aAQPT1RQ4791E6c+gJaiRzGnp0fhqPj2msilb1c8Gepa3+KYNaDh5dIr7TI20sGkcYqilLDhHWJFtGRMMNtrcm2OXKZwAGSx/79mel9dvow4DbPSMu+bc8chuPwp8wxfxutdb4dnOpQ/6UGAAYyHbJNN0NhrYiHJfNTuQEgUS0PzWnX9mbCP11mngn02pA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH8PR11MB6976

There’s a lot of information here that is meaningless to most of you. But I am going to point out a few clues that indicate how the threat actors are pulling this off. Starting with this:

Return-Path: reply+SRS=Vuioy=PP=microsoft.com=azure-noreply@merchantsales.onmicrosoft.com

The word Azure is a big hint as it suggests that the threat actors are sending this using an Azure hosted environment. Azure is Microsoft’s cloud infrastructure. Similar to Amazon Web Services or AWS. There are similar hints that this is case. Such as this one:

X-Forefront-Antispam-Report-Untrusted: CIP:52.101.61.136;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DM1PR04CU001.outbound.protection.outlook.com;PTR:mail-centralusazon11020136.outbound.protection.outlook.com;CAT:NONE;SFS:(13230040)(34036016)(586017)(7416014)(376014)(35042699022)(48200799018)(61400799027)(69100299015);DIR:OUT;SFP:1102;

This hints that it took a trip through Microsoft’s Forefront product which checks inbound and outbound emails for threats such as viruses. Note that it rated this email as “untrusted”. Then there’s this one:

CIP:20.97.34.221;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail-nam-cu04-sn.southcentralus.cloudapp.azure.com;PTR:mail-nam-cu04-sn.southcentralus.cloudapp.azure.com;CAT:NONE;SFS:(13230040)(240411011799012)(36860700013)(69100299015)(376014)(82310400026)(1800799024)(36002699022);DIR:OUT;SFP:1102;

The sn.southcentralus.cloudapp.azure.com is part of Microsoft’s Azure infrastructure. If I remember correctly, it’s somewhere in Texas. I could go on, but I think you see where I am going with this. In short, the threat actor has used a Microsoft Azure instance to set up the outbound email part of this scam knowing that because it’s coming from Microsoft’s own infrastructure, it will hit the inbox of the recipient. This is confirmed here:

ARC-Authentication-Results: i=6; mx.google.com;dkim=pass header.i=@microsoft.com header.s=selector2 header.b=V0jLNQ7L;dkim=pass header.i=@microsoft.com header.s=s1024-meo header.b=UBZKKpiY;arc=pass (i=5 spf=pass spfdomain=merchantsales.onmicrosoft.com dkim=pass dkdomain=microsoft.com dkim=pass dkdomain=microsoft.com dmarc=pass fromdomain=microsoft.com);spf=pass (google.com: domain of bounces+srs=yjgow=pp@netorgft13999698.onmicrosoft.com designates 2a01:111:f403:2415::724 as permitted sender)

This part of the header indicates because this scam email is being sent from Microsoft’s own infrastructure, it’s going to pass DMARC, SPF, and DKIM checks which would filter this sort of thing out. As evidenced by this:

Results: spf=pass

This:

dkim=pass

And this:

dmarc=pass

I have to admit that it is crafty for a threat actor to use Microsoft’s own infrastructure to send scam emails. And it illustrates how threat actors are evolving to try to bypass any guardrails and safeguards that might exist in order to try and get you to fall for their scam.

As for the phone number, I called it. You shouldn’t. But I did. I found that nobody picked up my call. A major company like Microsoft would have picked up the call. Highlighting that this is a scam.

After looking at all of this, I told the reader to report send the email that he got as an attachment to abuse@microsoft.com so that they can look at it. The reader also used Google Workspace’s “report phishing” option as he’s a Google customer when it comes to email. By doing both, I hope this scam gets shut down ASAP as I can see people falling for it.

5 Comments »

Google Appears To Be Incentivizing Reviewers For Praise

Posted in Commentary with tags Google on August 17, 2024 by itnerd

From the “this is real shady” department comes reports like this one that appear to bring to light Google’s Team Pixel program. Here’s how the program works:

A company or PR representative reaches out to you because you have an audience; they want to market and grow hype around their new phone/product (in this case, the Pixel 9 series); you need new, shiny things for your channel, so you bite their hand off, and a box of shiny new toys wings its way to your home or studio.

But then reality sets in, the reality of how the B2C reviews machine really works. In order to get early access to these phones, and future phones, you must adhere to an agreement.

And what does that agreement stipulate?

Simple: you have to be positive about the product or else you’re off the team, no more new, free Pixel phones for you. With this kind of threat, of course, most will bend the knee. But some haven’t and some have even outed #teampixel on X, shout-out to Mark’s Tech.

The Mark’s Tech is this guy who posted this to Twitter:

Im really disappointed in Team Pixel. This new requirement, that's hidden behind closed doors, is wrong. How can a consumer watch a Pixel review video by someone on Team Pixel and expect to get an honest review? Transparency is gone. https://t.co/uoFxQ6bYYV
— Mark’s Tech📱 Tech Reviews – Tech News (@Marks_Tech) August 15, 2024

And this:

And here … we ….go.
Leaked screenshot https://t.co/uoFxQ6cwOt pic.twitter.com/nWwA6AumAS
— Mark’s Tech📱 Tech Reviews – Tech News (@Marks_Tech) August 15, 2024

Now to be clear, this is being done by a PR company named 1000Heads. So there is the chance that Google was not even aware that this was going on. Though I seriously doubt that based on this:

As per @9to5Google Team Pixel has removed that part from the agreement!
Consumers win.
So yes, blasting a company online DOES work and it gets stuff done. Boom. pic.twitter.com/tye2YnNibl
— Mark’s Tech📱 Tech Reviews – Tech News (@Marks_Tech) August 17, 2024

I think this is called damage control.

Let me comment on this from the perspective of someone who does reviews. First of all I make it very clear here that I say what I want. And if a company doesn’t like that, fine. Go someplace else. I’m cool with that. Now the people from manufacturers and PR firms that I’ve dealt with over the years have never pulled a stunt like this on me. But at the same time, I go out of my way to avoid being put in a position where I might be incentivized to say nice things about a product. Because that’s simply not fair to my readership. That’s likely meant that the readership of this blog hasn’t grown as fast as it could have if I were less ethical. But I’m fine with that as I can sleep at night.

Any company that does anything as shady as this needs to be called out and held accountable. Because the products a company makes should sell the most and be the best because they are the best and people in the business of reviewing products agree of their own free will and not because they were incentivized to say nice things. Anything else is just wrong.

Leave a comment »

Fubo Sports Network now available on Prime Video in Canada

Posted in Commentary with tags Fubo on August 16, 2024 by itnerd

FuboTV Inc. today announced the launch of Fubo’s owned and operated TV network, Fubo Sports Network, on Prime Video Channels in Canada. This marks the first time the sports network is available in Canada outside of a subscription to Fubo’s platform, making it accessible to Prime members across the country.

Fubo Sports Network on Prime Video provides subscribers full access to a thrilling live sports catalog from soccer to MMA, including over 1,000 live events each year. The agreement also brings Fubo’s exclusive soccer content to Prime Video in Canada, including the English Premier League. In addition to leading soccer matches, programming includes partner content from both breakout and niche sports leagues such as Bare Knuckle Fighting Championship (BKFC), The Professional Fighters League (PFL) and World Poker Tour, among others.

Fubo is the leading sports-first live TV streaming platform operating in Canada, the U.S., France and Spain. In Canada, Fubo has become the premier soccer streaming platform with local and international top-tier soccer content along with a growing offering of linear sports and entertainment channels. Cord cutters can stream Fubo on mobile and connected TV devices, or on the web, at the fraction of the cost of a cable TV subscription.

Leave a comment »

New Research: Current Development Trends Significantly Challenging Application Security Modernization

Posted in Commentary with tags Legit Security on August 16, 2024 by itnerd

Legit Security has released a report on development trends driving the modernization of AppSec programs and pressing challenges to underscore the need to modernize AppSec practices to support growth and mitigate risks.

The report shows that application teams face difficulties with the speed and volume of releases, and prioritizing remediation, highlighting the importance of a modernized approach and alignment with development and DevOps teams for improved collaboration.

Most organizations reported difficulties fixing vulnerabilities after applications were deployed, reinforcing the significance of incorporating security processes and tools in the build process and challenges concerning developers’ methods, such as unsecured secrets, pipeline tools, containers, and source code repositories.

Key findings include:

60% use Infrastructure as Code (IaC) templates to simplify provisioning cloud infrastructure/quickly deploy software apps; 67% are experiencing increasing misconfigurations
The top challenge for AppSec teams supporting cloud-native dev processes is understanding and managing risk associated with GenAI (45%).
59% release new builds multiple times per week or more; faster development cycles challenges: prioritize remediation, lack of visibility and control, and software released without security testing.
Most use (64%) or plan to use (21%) GenAI or chatbot for code development. 83% of organizations are concerned about the visibility and discovery of developer usage of Gen AI
AI or gen AI (36%) is the most susceptible to compromise and concerning element in the cloud-native application stack.
Only 39% of organizations report that their security teams have visibility for specific applications, reinforcing the necessity for visibility into security testing in development.

You can read the report here. There’s also a blog entry regarding this here.

Leave a comment »

T-Mobile Slapped With A Big Fine For Big Data Leaks

Posted in Commentary with tags T-Mobile on August 16, 2024 by itnerd

If you go through my blog, you’ll find example, after example, after example, after example, after example, after example of T-Mobile being pwned by hackers and customer data being exposed. And according to this Reuters story, The Committee on Foreign Investment in the United States has had enough of the pwnage and has decided to teach T-Mobile a lesson:

The Committee on Foreign Investment in the United States, or Cfius, fined T-Mobile $60 million earlier this year for failing to prevent or disclose unauthorized access to “certain sensitive data,” the panel said on its website. T-Mobile had signed a national security agreement with Cfius in 2018 as part of its merger with Sprint.

This is the first time that the panel has disclosed the fine, and the decision to mention T-Mobile by name broke with past practice for a government body that’s known for secrecy and whose deliberations are often classified. The panel also published a list of all its penalties since 2018, though without naming the companies involved.

Cfius said the $60 million fine imposed on T-Mobile was the largest in its history.

Now T-Mobile is a company that according to Wikipedia made about $14 billion in 2023. So a $60 million fine is likely going to be a rounding error to them. Because given how often they’ve been pwned by hackers, it’s pretty clear that they don’t take the security of their customer’s data seriously. Perhaps this fine will send a message that those in charge in the US are finally getting serious about punishing companies that screw up in this manner. Their next task in my opinion is to make the punishments hurt, and hurt so severely so it provides the proper incentive not to be T-Mobile. If I were them, I’d start with copying the EU who got this part right years ago.

Leave a comment »

TELUS Expert Messaging Breaks Cover

Posted in Commentary with tags Telus on August 15, 2024 by itnerd

TELUS International, rebranding to TELUS Digital Experience (TELUS Digital) later in the third quarter, is at the forefront of digitally transforming customer journeys for media and communications companies, including designing, building and implementing asynchronous messaging capabilities as part of an end-to-end, AI-fueled experience. Asynchronous messaging provides flexible two-way interactions that enable customers to start, pause and pick up conversations when it is most convenient for them, while simultaneously giving media and communications providers greater flexibility to triage and diagnose customer queries to provide thoughtful, accurate and personalized responses. Developed by TELUS International, TELUS Expert Messaging is a cutting edge customer support tool seamlessly incorporated into the company’s existing My TELUS app. The new tool lets TELUS customers access human support whenever it is most convenient for them, 24×7, by sending a message from their mobile device and receiving a notification when an expert has responded, often resolving their inquiry in a single message. The flexible and convenient asynchronous chat feature eliminates wait times associated with traditional phone and live chat queues.

In order to protect against potential vulnerabilities and ensure a secure customer environment, asynchronous messaging systems must be built upon a strong foundation of data privacy and ethical standards. Incorporating Privacy by Design principles, and undergoing extensive risk mitigation testing are key to protecting user data and ensuring their ongoing security and trustworthiness.

Elevating TELUS’ premium digital experience above-the-line as a customer-first differentiator

A leading Canadian telecommunications provider and global technology company, TELUS, has partnered with its subsidiary TELUS International for nearly 20 years to support the ongoing evolution of its customer and employee experiences and operations, to become a fully digital and cloud-native organization.

TELUS Expert Messaging was developed using Engage by Local Measure, an intelligent, pre-built cloud contact center platform built on Amazon Web Services (AWS), to assist agents and provide more personalized omnichannel customer interactions. Engage integrates with Amazon Connect to seamlessly combine customer communications, Amazon Bedrock and machine learning into a single interface. Engage assists agents and improves customer interactions, providing a personalized omnichannel experience.

TELUS Expert Messaging is available in English, with a French version set to launch on MyTELUS app in the fourth quarter.

Learn how TELUS International and WillowTree, a TELUS International Company, can help your business elevate its customer experience with comprehensive AI solutions and expert consulting, and reduce its cost to serve by improving operational efficiencies at every stage of the customer journey. Reach out today to learn more and unlock the potential of Fuel iX for all industries and inquire specifically about accelerators available to media and communications brands to further expedite CX deployments.

Leave a comment »

Uber launches Uber One for Students in Canada

Posted in Commentary with tags Uber on August 15, 2024 by itnerd

As the back-to-school shopping season ramps up, budget-conscious students now have a new way to save on rides and other essentials. Just in time for the fall semester, Uber is launching Uber One for Students in Canada, a special discounted version of our Uber One membership program.

Whether they’re heading to an early-morning lecture or fueling a late-night study session, postsecondary students can now enjoy significant savings on rides and Uber Eats deliveries within their campus communities and wherever Uber and Uber Eats are available.

Here are the key membership benefits:

Free Trial: Students who have never used Uber One can try Uber One for Students for free for their first four weeks
Membership Cost: $4.99/month (50% off regular price)
Delivery Perks: $0 Delivery Fee on eligible food ($15+ basket), groceries ($40+ basket) and more plus 5% off eligible deliveries and pick up orders
Cashback: Earn 5% Uber Cash on eligible rides
Top-Rated Drivers: Only ride with top-rated drivers

Uber also got students covered with their own exclusive deals to keep them fueled and focused:

Dominos 🍕: 10% off every order and score a free order of Parmesan Bread Bites on Wednesdays with orders over $25
Starbucks ☕: 10% off coffee runs, in addition to $0 Delivery Fee and 5% off Uber One Benefit
Osmow’s 🥙: 5% off their Osmow’s orders (of $15+) and get a free order of Falafel on Monday’s on orders of $15+
Mary Brown’s🍗: 5% off their Mary Brown’s orders (of $15+) and get a free Big Mary on Tuesday’s on orders of $15+

Leave a comment »

DNC Dealing With A Potential Data Leak Just Days Before Their Convention

Posted in Commentary with tags Hacked on August 15, 2024 by itnerd

A firm called ZeroFox released a report on Wednesday, titled “Threats to the Democratic National Convention in Chicago.” The report basically claims the following:

Ahead of the DNC, ZeroFox identified Telegram-based bot service “IntelFetch” aggregating compromised credentials related to the Democratic Party and the DNC.

And:

The exposed data, consisting predominantly of URLs paired with login credentials or login pairs, appears to originate from botnet logs and third-party data breaches. While this exposure does not seem to result from a targeted attack, it poses a risk of unauthorized access to sensitive systems and information within the Democratic Party and the DNC. Compromised credentials belonging to registered individuals and staff members of these entities could be used to infiltrate secure systems, access confidential information, and disrupt operations. This unauthorized access could impact the security and integrity of party activities and the upcoming DNC.

Given the political climate in the United States at the moment, that’s likely not good. Tom Marsland, VP of Technology, Cloud Range had this to say:

Compromised credentials of the DNC goes to show the lengths that threat actors will go to, to research their targets and exploit them. While there is no indication that these accounts were directly compromised, this also highlights the importance of basic cyber hygiene. In the current threat landscape, everyone is a target, and especially those who are working towards a specific interest (in this case politics) where there is “another side”. As we move deeper into election season, it will be important for everyone to remain vigilant and call out mis- and disinformation campaigns that could lead voters astray. One of the pillars of our country is free and fair elections, and as cyber professionals, all of us should rise up to denounce these attacks, thwart them through stronger defense (which includes user education on cyber hygiene – MFA, strong passwords, etc.), and band together for the common good of our elections.

Now the DNC has pushed back strongly on this report:

“The language in this report is an irresponsible and inaccurate characterization of the facts,” a DNC spokesperson said. “We take cybersecurity very seriously and have been preparing to host a safe and successful convention for over a year.”

DNC officials added that the records referenced in the ZeroFox report were from 2016, are no longer active and were accessed via external websites, not the official DemConvention[.]com website.

In my mind, any data leak is a bad thing. And I suspect that privately the DNC is super concerned about this. And I also suspect that they’re hoping that this isn’t the tip of the iceberg so to speak.

Leave a comment »

New Paris Olympics Infrastructure Attack Threat Landscape Research Reports 166 Abused Domains

Posted in Commentary with tags BforeAI on August 15, 2024 by itnerd

BforeAI has released the 2024 Paris Olympic Games Infrastructure Attack Report, which details the domain and infrastructure-based threats uncovered related to the Paris Olympics.

By analyzing newly registered domains acquired two weeks before the event, indicating the rise in malicious activities, BforeAI researchers discovered 166 unique domains that leveraged the common signs of DNS abuse.

Significant use of keywords related to the Olympics and specific years or events was found in an attempt to attract traffic and appear relevant to search engines, so the domains in this cybercriminal infrastructure gain an advantage of the ‘domain age,’ which can influence their future SEO.

Counterfeit Olympic shop domains were increasingly prevalent in the lead-up to the Paris Olympics, potentially resulting in significant financial losses for fans and enthusiasts looking to purchase official merchandise and experiences.

The technical analysis unveils examples of fake shops set up before the Olympics to commit economic fraud and collect personal information with top-selling stores, tickets sold through fake websites for monetary gain and information harvesting, and different websites to support their respective countries.

You can read the report here.

Leave a comment »

The IT Nerd

Elon Musk May Have To Sell More Tesla Stock To Keep Twitter Alive

A VERY Convincing Microsoft 365 Refund #Scam Email Is Making The Rounds

Google Appears To Be Incentivizing Reviewers For Praise

Fubo Sports Network now available on Prime Video in Canada

New Research: Current Development Trends Significantly Challenging Application Security Modernization

T-Mobile Slapped With A Big Fine For Big Data Leaks

TELUS Expert Messaging Breaks Cover

Uber launches Uber One for Students in Canada

DNC Dealing With A Potential Data Leak Just Days Before Their Convention

New Paris Olympics Infrastructure Attack Threat Landscape Research Reports 166 Abused Domains

Pages

Blogroll