Here's what this email looks like on yahoo webmail: http://i63.tinypic.com/2qmd9uo.jpg It has no attachment so what is it talking about? Here's the raw email (I have replaced the @ with # to protect email addresses from forum scrapers): Code: X-Apparently-To: myemail#yahoo.co.uk; Thu, 25 May 2017 02:03:04 +0000 Return-Path: <Rachael.Katz#interpublic.com> Received-SPF: none (domain of interpublic.com does not designate permitted sender hosts) X-YMailISG: e_YUSg8WLDuLidZcukIuKfH2O712SXVlMck9SE2gC7uuw4nG onlqW8OVPTklZ69Wbo2gFL57PgtSOlEs1cLBZK3wf4VzH7kbTDxvYMmrCIpD Eb_Esx.uPIhh5WQP1.85qOQCfIO7R2pxlcNOeELRX7w99XTe5LHBzIop2C_M 67woeMH3Cwpe2E749zuNfRdW6gbdyTdJNVGyDZvU3m66f4tFO1u.JFtBMI6H PRY9XOYWVXDZ6KolIvPq6MfNES9GR9X9bMS3bOizbyApk07u23n19tj18FnA EAsWI1I6gL1a1aFYx6.AvSAwosk3MAMWUjskFXlXPP_U01qRwosA1xqyDDFe KKpn9KP8kPFSzeSPftRwdkvv9o6XA3uYpZOqCELbn.Y8qLSj2blI0F3OqWqy bsgqzFOEzy3KeCtPtwpC7drSKmkG_7A66W5vDWIRbU5Z.qtGnxzwM613wNWa jgxs.2rwzDUWGM5jUtvgm6EV5kXO_KjDkH3GFAyLWNau17nzrqlqK8FtbAXv vb7alL84mNLfTTv6PTAHE7xTQouM8uGrc_ASDa0WLtsUcCOgb0e0fdAy7Fy5 yEg336q8_tBhGzEKW8vVIVPh2dL3kmdt5CkxULppQ58VMZUGP_JaxzJ8HIun NIoyh_bvKh9L.em46cmhcBF2J8UmcoyMjGLRnqxzl3AlUtbW8ewtYbkWaGdY 1hUH19tUn82CQHdOAWRfaAuJOIOj5FvE0wRyApHKrmdEvfs56nMsNgMA9eRp U4Ax3bBG7iV.wsnQQQNRP1Mu213UE4C9mSnHygEUDUJufxTzrHgscaQgCPcd DADneLG.BjHiS4Vhp.v91BICuvKVx1_59PKxslkSv9OFMOJUvBB5r57oQc2t 0.e1xzSqjVBiytPYCNnvyZiRMf4gEk4BZJcKY_EkFR6lGd2lVBfQinqbOgxp ixes9Ai2OQi7JoMNXOZtjfliGXj8gg9nTP.v5up96yLe05wkcmIBwen5SAfF CplrnaAL2PLFDeC2IltwlFBiLfkZYMqq5_AD_6VDCqos6F2hjkbth7PMkX8w bytvU1o.1i0s6ZVlbqK94uISuKT2ig4T9Buk23ceQnMhcnyVMUdt1mknDqsI gXV4SZmV_MKoWS2vGkgUbqQaZxS0brCTWy8MLvfGvGqsPfjPNzXVkmZFtmxF se_VnW65fNF.rBb_iMBWm9fK9PwBzPgltBqnhcRTBYuKTOZxa2Pa4_M7RaOh Uam9vU.OAvDrSA9f07SuUOa8dQ1qqUyUwEEQvKXgQylC8kKvYui3B7BIaE.3 N9dbBhEffUjrd92Lu6bE5JQHKbdhoCyULga501zcPpwR6RSBHZ7KYcdgzm5l GzN2_vOQwW7kCb6AZen270oAwg6U03ZHKLw1m0.95tHV8L6EcxtamrNLfRCf yU2khRsadRKW3TKUZCIKjy85UJcj6QLSJpsgAif9qRl7Kd.8kl5LvhLY_tkp WWX7SsjV3ORBl4.qJAyO7qUjcFRMpccBBCGu3yMK6zXSCzFSGzhE5xX0.cWA BDUrK8ObeXaq X-Originating-IP: [40.92.64.70] Authentication-Results: mta1001.mail.ir2.yahoo.com from=interpublic.com; domainkeys=neutral (no sig); from=interpublic.com; dkim=neutral (no sig) Received: from 127.0.0.1 (EHLO EUR01-DB5-obe.outbound.protection.outlook.com) (40.92.64.70) by mta1001.mail.ir2.yahoo.com with SMTPS; Thu, 25 May 2017 02:03:04 +0000 Received: from HE1EUR01FT003.eop-EUR01.prod.protection.outlook.com (10.152.0.58) by HE1EUR01HT100.eop-EUR01.prod.protection.outlook.com (10.152.1.101) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.1075.5; Thu, 25 May 2017 02:03:02 +0000 Received: from HE1P192MB0138.EURP192.PROD.OUTLOOK.COM (10.152.0.52) by HE1EUR01FT003.mail.protection.outlook.com (10.152.0.89) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1075.5 via Frontend Transport; Thu, 25 May 2017 02:03:03 +0000 Received: from HE1P192MB0138.EURP192.PROD.OUTLOOK.COM ([::1]) by HE1P192MB0138.EURP192.PROD.OUTLOOK.COM ([fe80::f138:9aa1:5517:ef20%15]) with Microsoft SMTP Server id 15.01.1101.019; Thu, 25 May 2017 02:03:03 +0000 From: "Katz, Rachael (NYC-IPG)" <Rachael.Katz#interpublic.com> To: "info#web.rs" <info#web.rs> Subject: HELLO Thread-Topic: HELLO Thread-Index: AdLU9gjazC2dGg7kRS2GVRvFn61xaQAAJiZA Date: Thu, 25 May 2017 01:33:09 +0000 Message-ID: <ea0dbda3c5424d179e4a5f57810c14c5#OMAEDCEBC203.na.corp.ipgnetwork.com> Reply-To: "Sgtmonica.brown11#outlook.com" <Sgtmonica.brown11#outlook.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-Exchange-Inbox-Rules-Loop: marktwain_#hotmail.com X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is 68.232.135.202) smtp.mailfrom=interpublic.com; hotmail.com; dkim=none (message not signed) header.d=none;hotmail.com; dmarc=fail action=none header.from=interpublic.com; received-spf: None (protection.outlook.com: interpublic.com does not designate permitted sender hosts) x-incomingtopheadermarker: OriginalChecksum:4C83DC54E5ECA44CA45F1FE0CB6A4CA128DBF7D94BDEF069C2827B351DDFD00E;UpperCasedChecksum:1157C59B5860D7E5B5F4C44121423864E8F07BC805F0A40FDED65D2B87B0DED0;SizeAsReceived:1733;Count:25 x-sbrs: 2.5 x-ipg-allowspoof: false x-ironport-av: E=Sophos;i="5.38,389,1491282000"; d="scan'208,217";a="208460885" x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [144.210.249.54] x-originalarrivaltime: 25 May 2017 02:03:00.0024 (UTC) FILETIME=[09030B80:01D2D4FB] x-incomingheadercount: 68 x-eopattributedmessage: 1 x-eoptenantattributedmessage: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa:0 cmm-sender-ip: 68.232.135.202 cmm-sending-ip: 68.232.135.202 cmm-authentication-results: hotmail.com; spf=none (sender IP is 68.232.135.202; identity alignment result is pass and alignment mode is relaxed) smtp.mailfrom=prvs=311d7bf24=Rachael.Katz#interpublic.com; dkim=none (identity alignment result is pass and alignment mode is relaxed) header.d=interpublic.com; x-hmca=none header.id=Rachael.Katz#interpublic.com cmm-x-sid-pra: Rachael.Katz#interpublic.com cmm-x-auth-result: NONE cmm-x-sid-result: NONE cmm-x-message-status: n:n cmm-x-message-delivery: Vj0xLjE7dXM9MDtsPTE7YT0xO0Q9MTtHRD0xO1NDTD0w cmm-x-message-info: v4CmPlHoHarpMc+ND8V9Exwj4g6Xomob6GUukvE91nCqI79hDdav5Q8hZUMlki84ZpTyf3uMQcX/VDpm3Ti7VS9A7bbwbeQfbZ3vJVMXK+sUG3TddG82uXE6EYu2t1G6ui/MZ4KlOqFVlsgWvKY9JCvyhF+Ue+CPY2S4XUGnl4Wsl59gF5OnN50sfzxriwAtsi8lgnurGkhiw6EUW4BQ84ndHn5ABl4ly+h4wY/JbPYunos4xjTdP5a6YGV0Cyp6 x-microsoft-exchange-diagnostics: 1;HE1EUR01HT100;7:FIFRpHwENIfPRdKiNdrSEU6faH5chjHQwH5Q52AmDHYRuNtMSAg6xvltZtbSgolPDJs9MvBgw6mNQF/8l1yDngQ6l7jkBFM06BFOVJyH77zj6pJm2HpqVTfGyjaqpi9jeqri0AaZ2tJXz7iRS6NjHq4/TaDDzCapqyqoJs+NEeMlCTNUAXOZek6ljvd/ZcE3mWkjzggZo4ny7HHbDwFUvuv2bqhNSpFSFsNGji9sGqlPofi97fdIuXYbRQsK/2v78V0ZdhNZnNwfG5/6G5KuBSQ0wfX46l+YVOoylGQXnEQaZy2/eHb/ziP5ZVBCMaST x-forefront-antispam-report: EFV:NLI;SFV:NSPM;SFS:(7070007)(98901004);DIR:OUT;SFP:1901;SCL:1;SRVR:HE1EUR01HT100;H:HE1P192MB0138.EURP192.PROD.OUTLOOK.COM;FPR:;SPF:None;LANG:en; x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 53aebb44-7698-4019-5179-08d4a3122d55 x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001)(2017031320274)(201702221075);SRVR:HE1EUR01HT100; x-exchange-antispam-report-test: UriScan:(21748063052155); x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(444111536)(595095)(82015058);SRVR:HE1EUR01HT212;BCL:0;PCL:0;RULEID:;SRVR:HE1EUR01HT212;BCL:0;PCL:0;RULEID:(444000031);SRVR:HE1EUR01HT100;BCL:0;PCL:0;RULEID:;SRVR:HE1EUR01HT100; spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM x-ms-exchange-crosstenant-originalarrivaltime: 25 May 2017 02:03:01.4143 (UTC) x-ms-exchange-crosstenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa x-ms-exchange-crosstenant-fromentityheader: Internet x-ms-exchange-transport-crosstenantheadersstamped: HE1EUR01HT212 x-ms-exchange-transport-endtoendlatency: 00:00:01.5102722 Resent-From: <marktwain_#hotmail.com> x-microsoft-exchange-diagnostics-untrusted: 1;HE1EUR01HT212;7:jEgJSv1XTO9ZhXp0UFdjNnpi6q5zDcNwsI2sbaXugGi9nmezy9aIqOQJTuGAIpgCy7pqpOQ1g8seoiQZasjKpzkmHrS327Bfli13WaUPAmAmwKjs6+LwWzvQPQs2hIRB7zL1Jh/fHDjjZhAlsWGWip/3gWP37S07qKz691Qxau2WJpQClhPu7iBS9GoNWu4T+npbK9Q9LB23LNcTwxTUrdLjKhk6TuI6aiXCgNe7AeXRw80aaE7LKz7D3PdjxkqOg+ESz7a9VVGwOYzifED42MRgt9DtL4g2dHrYPteMLc0jsxok7GJTDAioKavukK9n28jJAKO/8+OJBWEt/TYTTA== x-forefront-antispam-report-untrusted: EFV:NLI;SFV:NSPM;SFS:(98901004);DIR:INB;SFP:;SCL:1;SRVR:HE1EUR01HT212;H:BAY004-MC2F46.hotmail.com;FPR:;SPF:None;LANG:en; x-microsoft-antispam-untrusted: BCL:0;PCL:0;RULEID:(22001)(8291500097)(8291501071);SRVR:HE1EUR01HT212; x-ms-exchange-transport-crosstenantheadersstripped: HE1EUR01FT003.eop-EUR01.prod.protection.outlook.com x-forefront-prvs: 0318501FAE Content-Type: multipart/alternative; boundary="_000_ea0dbda3c5424d179e4a5f57810c14c5OMAEDCEBC203nacorpipgne_" MIME-Version: 1.0 X-OriginatorOrg: outlook.com X-MS-Exchange-CrossTenant-originalarrivaltime: 25 May 2017 02:03:02.9535 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Internet X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1EUR01HT100 Content-Length: 3224 --_000_ea0dbda3c5424d179e4a5f57810c14c5OMAEDCEBC203nacorpipgne_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable I am Sgt Monica Brown I need your urgent response to my previous email This message contains information which may be confidential and privileged.= Unless you are the intended recipient (or authorized to receive this messa= ge for the intended recipient), you may not use, copy, disseminate or discl= ose to anyone the message or any information contained in the message. If = you have received the message in error, please advise the sender by reply e= -mail, and delete the message. Thank you very much. --_000_ea0dbda3c5424d179e4a5f57810c14c5OMAEDCEBC203nacorpipgne_ Content-Type: text/html; charset="us-ascii" Content-ID: <6B132EEFAC6DEC408383B9FE19AECD64#EURP192.PROD.OUTLOOK.COM> Content-Transfer-Encoding: quoted-printable <html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-micr= osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" = xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" xmlns=3D"http:= //www.w3.org/TR/REC-html40"> <head> <meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dus-ascii"= > <meta name=3D"Generator" content=3D"Microsoft Word 15 (filtered medium)"> <style><!-- /* Font Definitions */ #font-face {font-family:"Cambria Math"; panose-1:0 0 0 0 0 0 0 0 0 0;} #font-face {font-family:Calibri; panose-1:2 15 5 2 2 2 4 3 2 4;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {margin:0cm; margin-bottom:.0001pt; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-fareast-language:EN-US;} a:link, span.MsoHyperlink {mso-style-priority:99; color:#0563C1; text-decoration:underline;} a:visited, span.MsoHyperlinkFollowed {mso-style-priority:99; color:#954F72; text-decoration:underline;} span.EmailStyle17 {mso-style-type:personal-compose; font-family:"Calibri","sans-serif"; color:windowtext;} .MsoChpDefault {mso-style-type:export-only; font-size:10.0pt; font-family:"Calibri","sans-serif"; mso-fareast-language:EN-US;} #page WordSection1 {size:612.0pt 792.0pt; margin:72.0pt 72.0pt 72.0pt 72.0pt;} div.WordSection1 {page:WordSection1;} --></style><!--[if gte mso 9]><xml> <o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" /> </xml><![endif]--><!--[if gte mso 9]><xml> <o:shapelayout v:ext=3D"edit"> <o:idmap v:ext=3D"edit" data=3D"1" /> </o:shapelayout></xml><![endif]--> </head> <body lang=3D"EN-IN" link=3D"#0563C1" vlink=3D"#954F72"> <div class=3D"WordSection1"> <p class=3D"MsoNormal">I am Sgt Monica Brown I need your urgent response to= my previous email<o:p></o:p></p> </div> <p>This message contains information which may be confidential and privileg= ed. Unless you are the intended recipient (or authorized to receive this me= ssage for the intended recipient), you may not use, copy, disseminate or di= sclose to anyone the message or any information contained in the message. If you have received the m= essage in error, please advise the sender by reply e-mail, and delete the m= essage. Thank you very much.</p> </body> </html> --_000_ea0dbda3c5424d179e4a5f57810c14c5OMAEDCEBC203nacorpipgne_--
Try to send this to someone who uses an e-mail client and uses a security solution that scans incoming e-mail. Easiest way to tell if it is malicious. Looks to me that it is a phishing attempt to get your e-mail address.
Interpublic? https://www.facebook.com/rachael.katz.75/about?lst=100000528252340:1614140175:1495734518
For starters, law enforcement doesn't send e-mails. If they want to contact you, they show up at your front door. If they call you on the phone, it would be the local police dept. and those calls alone are suspect if you can't verify the phone number and caller. Suspect this e-mail was an attempt for the e-mail sender to start an e-mail dialog with you to try to access confidential info. For example a rouge e-mail I have been receiving lately is "Arrest Warrant ######## Has Been Issued." Give me a break ..................
I just got one yesterday to verify my bank account. I clicked on their link and it really does look like the official site. I forwarded the e-mail to my banks fishing dept and called to ask them about it also. Another reason I knew it was a social engineering mail was because when I go to my bank site, I have it set to remember my login info and the site I was sent to didn't. The site I posted above has the persons name and she works for Interpublic. It is at the top of the e-mail.
Use can use this web site: https://haveibeenpwned.com/ to check if your e-mail address has been compromised. I assume it has been since you are using Yahoo e-mal.
Ummm. "Is this reallytruly your e-address?" Just a wild assumption with no basis in fact. Would I reply to it? Should I? Let's be real, just because she uses two entirely different names... Nah, it's sisters, one is married!
There are numerous articles about the X-YMailISG: header on the web. Here is one: https://groups.google.com/forum/#!topic/news.admin.net-abuse.email/woKBqxUXCbQ Malware within an e-mail will be in most case be contained within an attachment with a link or something similar within the body of the e-mail used as the source to execute the malware within the attachment. As added protection for the malware, the attachment will be zipped, etc. and even further packed and obfuscated with the compressed attachment. As this is done to hide the malware from the e-mail providers whom by the way, do scan e-mail for malware. An additional tactic employed by malware is to place links in e-mail to malicious web sites and try to entice you to click on those.
Can't there be exploits like buffer overruns that make it possible to execute an encoded binary when you click on a link offline or even when you view the html email?
If you're concerned about e-mail security, my advice is to use an e-mail client like Outlook or Thunderbird for e-mail processing. These will allow you to disable all active content, prevent auto display of e-mail attachments, and to view all e-mail in text mode only like I do. Of course if someone sends you a .docx or .pdf attachment, those will be opened in Word or Adobe Reader. So those apps need to have proper security settings enabled.
Funny I started to use webmail for more security compared to thunderbird. To assess mails in a separate hardened nonpersistent VM before allowing them to be stored in the thunderbird VM.
