Suspicious email received.

  • Profile Image
    Gabriel McWilliams 
    Asked on June 09, 2020 at 02:51 PM

    Hello I my client received an email with a suspicious link in it .  The header information shows the following email address in the return path [returns@jotform.com].  Below is the header information  and a screenshot of what the email looked like.  

    We are asking that you investigate.  I realize any email address in the headers can can spoofed but I wanted to bring it to your attention and for your review.  If you can let us know, whether it is a real threat or it's benign that would be good for us to resolve this case with our client.  

    Header Information:

    Reply-To: "ice@magicicescraper.com" <ice@magicicescraper.com> 

    X-Related: ⁨Jotform User Emails⁩

    Received: ⁨from ADCM5130.AdcbMis.local (10.100.132.114) by ADCM6037.AdcbMis.local (10.146.130.98) with Microsoft SMTP Server (TLS) id 14.3.439.0; Tue, 9 Jun 2020 09:21:10 +0400⁩

    Received: ⁨from ADCA5106.adcbmis.local (10.100.132.143) by ADCM5130.AdcbMis.local (10.100.132.114) with Microsoft SMTP Server id 14.3.439.0; Tue, 9 Jun 2020 09:21:09 +0400⁩

    Received: ⁨by ADCA5106.adcbmis.local (Postfix, from userid 600) id 49gz4544Q2z2JMl7; Tue,  9 Jun 2020 09:20:15 +0400 (+04)⁩

    Received: ⁨from newmail.adcb.com (unknown [10.100.132.90]) by ADCA5106.adcbmis.local (Postfix) with ESMTP id 49gz303zNqz2JMkM for <paul.keating@adcb.com>; Tue,  9 Jun 2020 09:20:12 +0400 (+04)⁩

    Received: ⁨from mail6.bemta26.messagelabs.com ( [85.158.142.153]) (using TLS with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by newmail.adcb.com (Symantec Messaging Gateway) with SMTP id 55.B9.02013.60C1FDE5; Tue,  9 Jun 2020 09:20:07 +0400 (+04)⁩

    Received: ⁨from [100.113.7.196] (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256 bits)) by server-2.bemta.az-b.eu-central-1.aws.symcld.net id 4F/9C-28582-A0C1FDE5; Tue, 09 Jun 2020 05:20:10 +0000⁩

    Received: ⁨(qmail 31020 invoked from network); 9 Jun 2020 05:20:09 -0000⁩

    Received: ⁨from hm-mta5.jotform.com (HELO hm-mta5.jotform.com) (78.157.218.87) by server-2.tower-246.messagelabs.com with ECDHE-RSA-AES256-GCM-SHA384 encrypted SMTP; 9 Jun 2020 05:20:09 -0000⁩

    Received: ⁨from go-workers-dtcb (unknown [78.157.218.82]) by hm-mta5.jotform.com (Postfix) with ESMTP id 91D2BEA0905 for <paul.keating@adcb.com>; Tue,  9 Jun 2020 01:20:08 -0400 (EDT)⁩

    Received: ⁨by go-workers-dtcb (Postfix, from userid 1100) id 25392BBEB3; Tue, 9 Jun 2020 01:20:08 -0400 (EDT)⁩

    Received: ⁨Tue, 9 Jun 2020 09:21:12 +0400⁩

    X-Msmail-Priority: ⁨Normal⁩

    X-Starscan-Version: ⁨9.50.1; banners=-,-,-⁩

    X-Starscan-Received: ⁨⁩

    X-Starscan-Received: ⁨⁩

    Return-Path: ⁨returns@jotform.com⁩

    X-Originating-Ip: ⁨[78.157.218.87]⁩

    X-Ms-Exchange-Organization-Authmechanism: ⁨10⁩

    X-Exclaimer-Md-Config: ⁨decbec01-dd04-44e3-a58e-c27363208109⁩

    Mime-Version: ⁨1.0⁩

    Thread-Index: ⁨AQHWPh3K5VwgUN2ddEmyzBtyw4zGHA==⁩

    X-Auditid: ⁨c0a8cb6e-787fb700000007dd-f4-5edf1c05b558⁩

    X-Adcb: ⁨1⁩

    X-Env-Sender: ⁨returns@jotform.com⁩

    Authentication-Results: ⁨mx.messagelabs.com; spf=pass   (server-2.tower-246.messagelabs.com: domain of jotform.com designates   78.157.218.87 as permitted sender) smtp.mailfrom=jotform.com; dkim=pass   (good signature) header.i=@jotform.com header.s=mail; dmarc=pass   (p=quarantine adkim=r aspf=r) header.from=jotform.com⁩

    X-Brightmail-Tracker: ⁨H4sIAAAAAAAAA+NgFrrNIsWRWlGSWpSXmKPExsXiN/dWuC6nzP0  4g0PtOhY31yxjdWD02Li6jS2AMYo1My8pvyKBNaNx9SOmgjNiFfeWHWZpYNwq0sXIxSEksINR  ou/MPjYQh0XgBZPE3d9XGLsYOYEyeRKXex6zdDFycIgISEpMmpkMYgoLWEr82xwFUsEioCLx8  t5BJpAwm4CFxL0VfhCNihKXb59iBbF5BVwkbv/9AmZLCPBKzGh/ygJhy0kcPbqCGaJGUOLkzC  dgi5gF1CSWtSqBhJkF5CWat85mnsDINwtJ1SyEqllIqhYwMq9itEgqykzPKMlNzMzRNTQw0DU  0NNY1A7L0Eqt0k/RSS3WTU/NKihKBknqJ5cV6xZW5yTkpenmpJZsYgWGYUsjGtYPx6esPeocY  JTmYlER5WznuxwnxJeWnVGYkFmfEF5XmpBYfYpTh4FCS4F0oCZQTLEpNT61Iy8wBxgRMWoKDR  0mE954UUJq3uCAxtzgzHSJ1ijGQ4+DReYuYOZ6CyTOrlgDJj2DyO5j8ASabPgBJIZa8/LxUKX  FeNmmgQQIggzJK8+DWwOL8EqOslDAvIwMDgxBPQWpRbmYJqvwrRnEORiVh3iiQKTyZeSVw17w  COpQJ6NAb5fdADi1JREhJNTAdfrEpcJt4w5K/3N9+S0yz+75fuYyrtPabktO2kCtPGKOXXlUL  55J/X7BEu2L1ztDuF/bhQcWCAhJfvy1/9dPhjFGb3HLpNMn+pQL5+ff/lssrL9959m/tbw55t  rnHj15jy9Sc6SlzLWS2vFW54w8J3z0Hk3cni93Q+OBiZzlZpnKdi+v0pu//WlI7GvOUCkPLP+  rPFLD/uTHwtFLj712b7Q4pVPRuyDDRz7HkmZZwwykvX+3HMRZNs+2O3tfv7Jh/SeTTopwpVxY  I3Rf367QxNlx3PELISow/PfUBu+KM17GtTf5SedEZ0uyrd613DvD1dmOUKnrenPG7oNR7c/KM  IJOnVpeDL0x15DeRVmIpzkg01GIuKk4EAMMiAcduAwAA⁩

    X-Brightmail-Tracker: ⁨H4sIAAAAAAAAA+NgFrrNIsWRWlGSWpSXmKPExsXiN/dWuC6nzP0 4g0PtOhY31yxjdWD02Li6jS2AMYo1My8pvyKBNaNx9SOmgjNiFfeWHWZpYNwq0sXIxSEksINR ou/MPjYQh0XgBZPE3d9XGLsYOYEyeRKXex6zdDFycIgISEpMmpkMYgoLWEr82xwFUsEioCLx8 t5BJpAwm4CFxL0VfhCNihKXb59iBbF5BVwkbv/9AmZLCPBKzGh/ygJhy0kcPbqCGaJGUOLkzC dgi5gF1CSWtSqBhJkF5CWat85mnsDINwtJ1SyEqllIqhYwMq9itEgqykzPKMlNzMzRNTQw0DU 0NNY1A7L0Eqt0k/RSS3WTU/NKihKBknqJ5cV6xZW5yTkpenmpJZsYgWGYUsjGtYPx6esPeocY JTmYlER5WznuxwnxJeWnVGYkFmfEF5XmpBYfYpTh4FCS4F0oCZQTLEpNT61Iy8wBxgRMWoKDR 0mE954UUJq3uCAxtzgzHSJ1ijGQ4+DReYuYOZ6CyTOrlgDJj2DyO5j8ASabPgBJIZa8/LxUKX FeNmmgQQIggzJK8+DWwOL8EqOslDAvIwMDgxBPQWpRbmYJqvwrRnEORiVh3iiQKTyZeSVw17w COpQJ6NAb5fdADi1JREhJNTAdfrEpcJt4w5K/3N9+S0yz+75fuYyrtPabktO2kCtPGKOXXlUL 55J/X7BEu2L1ztDuF/bhQcWCAhJfvy1/9dPhjFGb3HLpNMn+pQL5+ff/lssrL9959m/tbw55t rnHj15jy9Sc6SlzLWS2vFW54w8J3z0Hk3cni93Q+OBiZzlZpnKdi+v0pu//WlI7GvOUCkPLP+ rPFLD/uTHwtFLj712b7Q4pVPRuyDDRz7HkmZZwwykvX+3HMRZNs+2O3tfv7Jh/SeTTopwpVxY I3Rf367QxNlx3PELISow/PfUBu+KM17GtTf5SedEZ0uyrd613DvD1dmOUKnrenPG7oNR7c/KM IJOnVpeDL0x15DeRVmIpzkg01GIuKk4EAMMiAcduAwAA⁩

    X-Priority: ⁨3⁩

    X-Viruschecked: ⁨Checked⁩

    X-Ms-Exchange-Organization-Authsource: ⁨ADCM5130.AdcbMis.local⁩

    ⁨<df424fca0e8c1d9f9f7959b6a56558c4@localhost.localdomain>⁩

    Dkim-Signature: ⁨v=1; a=rsa-sha256; c=relaxed/simple; d=jotform.com; s=mail; t=1591680008; bh=F27MzkzBc1dnjxSxXdEJOXgrr6WmrOmdUMOXMRZivVc=; h=To:Subject:Date:From:Reply-To:From; b=pbf8NMmVQe5kbV1KQdYG5miKmxgdSRIeD+1pkaDrYpyd43sALTQDggdSue7+rq/me   yzniDx6zzEGfSLv8fQ7k83UW589C+kIjkoJn+uUelq/EmvXlkiijj0jXdbjF02fQdV w71r0MSmY8jDs8XvL+xOnUIVpdn5vVWVkA4Qfr/Y=⁩

    X-Spamreason: ⁨No, hits=3.7 required=7.0 tests=newsletters: , FROM_EXCESS_BASE64,HTML_MESSAGE,HTML_OBFUSCATE_60_70,HTML_TINY_FONT, MIME_HTML_ONLY,domain_age: babykidseigo.com:a=4,s=body; {END}⁩

    X-Msg-Ref: ⁨server-2.tower-246.messagelabs.com!1591680009!2465273!1⁩

    X-Ms-Exchange-Organization-Avstamp-Mailbox: ⁨SYMANTEC;717750784;0;info⁩

    Content-Type: ⁨Multipart/alternative; charset=utf-8; boundary="00B0FEED_message_boundary"⁩

    Content-Description: ⁨Multipart message⁩

    X-Ms-Exchange-Organization-Authas: ⁨Internal⁩




    Screenshot
  • Profile Image
    Kevin_G
    Answered on June 09, 2020 at 07:34 PM

    I found the account where the form was built, I will be checking this further with our anti-phishing team, we will keep you updated via this ticket. 

    Thanks.