CEO Fraud with *.dee domain spoof

Hi,

no, this is not a typo.

We just received multiple CEO Fraud attempts with our main xyz.de domain spoofed as xyz.dee!

Xyz.dee ist not even a real tld: https://data.iana.org/TLD/tlds-alpha-by-domain.txt

How (tf) can this mail pass the UTM mail protection? The .dee is in the envelope-from!

I shorted the mailheaders from the infos about our internal mailsystems and replaced domains and mailaddresses.

Received: from gateway10.unifiedlayer.com ([74.220.218.103]:57082)
	by mail.xyz.de with esmtps  (TLS1.2) tls TLS_ECDH_anon_WITH_AES_256_CBC_SHA
	(Exim 4.94.2)
	(envelope-from <ceo.name@xyz.dee>)
	id 1nhXca-000236-3A
	for employee.name@xyz.de; Thu, 21 Apr 2022 16:17:26 +0200
Received: from cm1.websitewelcome.com (unknown [192.185.0.102])
	by gateway10.unifiedlayer.com (Postfix) with ESMTP id B38AB2009A907
	for <employee.name@xyz.de>; Thu, 21 Apr 2022 09:17:19 -0500 (CDT)
Received: from shared99.accountservergroup.com ([162.215.249.40])
	by cmsmtp with ESMTP
	id hXcVnJVd2KPTUhXcVnFkBS; Thu, 21 Apr 2022 09:17:19 -0500
X-SASI-Hits: BODYTEXTP_SIZE_3000_LESS 0.000000,
	BODYTEXTP_SIZE_400_LESS 0.000000, BODY_SIZE_1000_LESS 0.000000,
	BODY_SIZE_2000_LESS 0.000000, BODY_SIZE_200_299 0.000000,
	BODY_SIZE_5000_LESS 0.000000, BODY_SIZE_7000_LESS 0.000000,
	DATE_TZ_NA 0.000000, FRAUD_LITTLE_BODY 2.000000,
	FRAUD_WEBMAIL_R_NOT_F 0.100000, FROM_NAME_PHRASE 0.000000,
	HTML_00_01 0.050000, HTML_00_10 0.050000, KNOWN_MTA_TFX 0.000000,
	NO_CTA_URI_FOUND 0.000000, NO_URI_FOUND 0.000000, NO_URI_HTTPS 0.000000,
	REPLYTO_FROM_DIFF_ADDY 0.100000, SENDER_NO_AUTH 0.000000,
	SMALL_BODY 0.000000, SXL_IP_TFX_WM 0.000000,
	TO_DOMAIN_IN_FROM_NOT_SAME 0.000000, WEBMAIL_REPLYTO_NOT_FROM 0.500000,
	WEBMAIL_SOURCE 0.000000, WEBMAIL_XMAILER 0.000000, __BODY_NO_MAILTO 0.000000,
	__CT 0.000000, __CTE 0.000000, __CT_TEXT_PLAIN 0.000000,
	__FRAUD_ANTIABUSE 0.000000, __FRAUD_WEBMAIL 0.000000,
	__FRAUD_WEBMAIL_REPLYTO 0.000000, __FROM_DOMAIN_NOT_IN_BODY 0.000000,
	__FUR_HEADER 0.000000, __HAS_FROM 0.000000, __HAS_MSGID 0.000000,
	__HAS_REPLYTO 0.000000, __HAS_X_MAILER 0.000000, __HAS_X_PRIORITY 0.000000,
	__HEADER_ORDER_FROM 0.000000, __MIME_TEXT_ONLY 0.000000,
	__MIME_TEXT_P 0.000000, __MIME_TEXT_P1 0.000000, __MIME_VERSION 0.000000,
	__MSGID_32HEX 0.000000, __NO_HTML_TAG_RAW 0.000000,
	__PHISH_SPEAR_STRUCTURE_1 0.000000, __PHISH_SPEAR_STRUCTURE_2 0.000000,
	__RCPT_HOST_IN_FROM 0.000000, __REPLYTO_GMAIL 0.000000,
	__REPLYTO_SAMEAS_FROM_NAME 0.000000, __SANE_MSGID 0.000000,
	__TO_HOST_IN_FROM 0.000000, __TO_MALFORMED_2 0.000000, __TO_NO_NAME 0.000000,
	__URI_NO_MAILTO 0.000000
X-SASI-Probability: 24%
X-SASI-RCODE: 200
X-SASI-Version: Antispam-Engine: 4.1.4, AntispamData: 2022.4.21.134824
X-Authority-Reason: s=1
Received: from [66.113.226.191] (port=38411 helo=cmdesignsolutions.ca)
	by shared99.accountservergroup.com with esmtpa (Exim 4.93)
	(envelope-from <ceo.name@xyz.dee>)
	id 1nhXcV-003R7g-3t
	for employee.name@xyz.de; Thu, 21 Apr 2022 09:17:19 -0500
Date: Thu, 21 Apr 2022 10:17:18 -0400
To: <employee.name@xyz.de>
From: "CEO Name" <ceo.name@xyz.dee>
Reply-To: CEO Name <fritzzzlias@gmail.com>
Subject: Dringende Anfrage_
Message-ID: <f577c12190b954963c1529c7a3832e16@cmdesignsolutions.ca>
X-Priority: 3
X-Mailer: PHPMailer (phpmailer.sourceforge.net) [version ]
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="iso-8859-1"
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - shared99.accountservergroup.com
X-AntiAbuse: Original Domain - xyz.de
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - xyz.dee
X-BWhitelist: no
X-Source-IP: 66.113.226.191
X-Source-L: No
X-Exim-ID: 1nhXcV-003R7g-3t
X-Source:
X-Source-Args:
X-Source-Dir:
X-Source-Sender: (cmdesignsolutions.ca) [66.113.226.191]:38411
X-Source-Auth: sharon@quicksilverair.com
X-Email-Count: 73
X-Source-Cap: cm9nZXJtYXJ0eTtyb2dlcm1hcnR5O3NoYXJlZDk5LmFjY291bnRzZXJ2ZXJncm91cC5jb20=
X-Local-Domain: no
Return-Path: ceo.name@xyz.dee
X-MS-Exchange-Organization-Network-Message-Id: be6d5be2-1e77-44cb-f5d0-08da23a1aa86
X-MS-Exchange-Organization-AuthSource: Exchangeserverhostname
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.3438702
X-MS-Exchange-Processed-By-BccFoldering: 15.01.2308.020