Headers ====================================== Date: Fri, 16 Sep 2022 19:20:13 +0000 Subject: Re: Reminder: [Activity Report] Your account is sign in on a new device. Friday, September 16, 2022 #[636274168] To: asmith@hotmail.com From: cafepress@mail.cafepress.com Reply-To: Return-Path: msprvs1=XjGVrJidPKaSN=bounces-098020-32419@tbh51blx.imdreampores.ovh Sender IP: 209.85.221.104 Resolve Host: mail-wr1-f104.google.com Message-ID: URLs ====================================== hxxps[://]cabinetlekagni[.]com/ Attachments ====================================== Attachment Name: MD5: SHA1: SHA256: Description ====================================== This email is claiming to be from "Amazon Prime Support", and it is asking the receipient to verify their account. It claims that the account has been place on hold due to a suspicious login. There are several indicators of urgency with the context of this email, as it claims the account will suspended by "September 17, 2012" if the account is not verified by then, Artifact Analysis ====================================== Sender Analysis: Although claiming to be from Amazon Prime, the address clearly indicates a mailbox originating from an unrelated domain. Additinally, the Return-Path and Received headers indicate that this email orginated from a google.com mail server and also utilized OVH Cloud hosting technology, neither of which are affiliated with Amazon. URL Analysis: After performing a URL reputation check using URLScan and VirusTotal, the URL with the call to action button of this email was found to be malicious, as it redirects to a phishing website. It appears to be hosting a credential capture page, that when submitted, will log and steal the credentials of any victims. Attachment Analysis: Verdict ====================================== Due to the original sender being unaffiliated with Aamazon, this email is a clear impersonation and spoofing attempt. Additionally, after analyzing the URL contained in the meail's call to action, it was flagged on URLScan and Virus Total to be malicious. (Insert screenshot evidence) As a result of the analysis, this email has been determined to be malicious. Defense Actions ====================================== After perfoming a message trace, no othe users within the organization received an email from this sender or with this subject line. To prevent the malicious sender from sending any other email to the organization, l have blocked the email "cafepress@mail.cafepress.com" email addresss on the email gateway. DUe to the malicious nature of the domain, l have blocked any incoming emails that contain "cabinetlekagni[.]com" on the email gateway. To ensure users are unable to access this malicious URL or domain, l have blocked "cabinetlekagni[.]com" on the EDR and on the Web Proxy.