Internal Phishing

K

KatyComputer

Well-Known Member
Sep 26, 2019
196
16
58
62
St Louis
katycomputer.com
We are seeing Phishing attacks where the email appears to be from one staff member (employee) to another staff member (accountant), the domain is properly configured with SPF/DKIM records, I was baffled until I looked at the headers. The evil-doer is using authentic (but evil) Return-Path: X-Sender: & Reply-To: headers to phish our clients.

Anyone have clever tricks to block this effort:
Code: 
Delivered-To: morgan.accountant@customer.com
Return-Path: gwen@gwendolynw.com
Received-SPF: none (gwendolynw.com: No applicable sender policy available) receiver=mx.security.com; identity=mailfrom; envelope-from="gwen@gwendolynw.com"; helo=p3plwbeout27-06.prod.phx3.secureserver.net; client-ip=216.69.139.56
Received: from p3plwbeout27-06.prod.phx3.secureserver.net (p3plsmtp27-06-2.prod.phx3.secureserver.net [216.69.139.56])
    (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
    (No client certificate requested)
    by mx.security.com (KatyComputer) with ESMTPS
    for <morgan.accountant@customer.com>; Mon, 14 Nov 2022 13:09:48 -0600 (CST)
Received: from p3plgemwbe27-01.prod.phx3.secureserver.net ([10.36.136.31])
    by :WBEOUT: with SMTP
    id ueiKoJDwYK9TnueiKoySZl; Mon, 14 Nov 2022 12:01:48 -0700
X-CMAE-Analysis: v=2.4 cv=eKHWMFl1 c=1 sm=1 tr=0 ts=6372909c
 a=wyIkHV4v9QDcqtJhzmByXA==:117 a=O0uf6D4JcKgA:10 a=snqOvnsXdMYA:10
 a=IkcTkHD0fZMA:10 a=9xFQ1JgjjksA:10 a=PTQOsGrJGsurKYCY8JMA:9
 a=_W_S_7VecoQA:10 a=QEXdDO2ut3YA:10
X-SECURESERVER-ACCT: gwen@gwendolynw.com
X-SID: ueiKoJDwYK9Tn
Received: (qmail 31827 invoked by uid 99); 14 Nov 2022 19:01:48 -0000
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="utf-8"
X-Originating-IP: 205.185.209.22
User-Agent: Workspace Webmail 6.12.11
Message-Id: <20221114120146.51f2b9cedf4b782d679da89b590aca66.5368824cee.wbe@email27.godaddy.com>
From: "Michelle employee" <michelle.employee@customer.com>
X-Sender: gwen@gwendolynw.com
Reply-To: "Michelle employee" <michelle.employee@direckto.pics>
To: "morgan.accountant@customer.com" <morgan.accountant@customer.com>
subject: SPAM: ALTERNATION OF PAYCHECK/DD DETAILS
Date: Mon, 14 Nov 2022 12:01:46 -0700
 
Can you post logs from proxmox mail gateway tracking center for this message? Headers from this email do not help us much...
 
  • Like
Reactions: Stoiko Ivanov
You must log in or register to reply here.
Top Bottom