Hi,
no, this is not a typo.
We just received multiple CEO Fraud attempts with our main xyz.de domain spoofed as xyz.dee!
Xyz.dee ist not even a real tld: https://data.iana.org/TLD/tlds-alpha-by-domain.txt
How (tf) can this mail pass the UTM mail protection? The .dee is in the envelope-from!
I shorted the mailheaders from the infos about our internal mailsystems and replaced domains and mailaddresses.
Received: from gateway10.unifiedlayer.com ([74.220.218.103]:57082) by mail.xyz.de with esmtps (TLS1.2) tls TLS_ECDH_anon_WITH_AES_256_CBC_SHA (Exim 4.94.2) (envelope-from <ceo.name@xyz.dee>) id 1nhXca-000236-3A for employee.name@xyz.de; Thu, 21 Apr 2022 16:17:26 +0200 Received: from cm1.websitewelcome.com (unknown [192.185.0.102]) by gateway10.unifiedlayer.com (Postfix) with ESMTP id B38AB2009A907 for <employee.name@xyz.de>; Thu, 21 Apr 2022 09:17:19 -0500 (CDT) Received: from shared99.accountservergroup.com ([162.215.249.40]) by cmsmtp with ESMTP id hXcVnJVd2KPTUhXcVnFkBS; Thu, 21 Apr 2022 09:17:19 -0500 X-SASI-Hits: BODYTEXTP_SIZE_3000_LESS 0.000000, BODYTEXTP_SIZE_400_LESS 0.000000, BODY_SIZE_1000_LESS 0.000000, BODY_SIZE_2000_LESS 0.000000, BODY_SIZE_200_299 0.000000, BODY_SIZE_5000_LESS 0.000000, BODY_SIZE_7000_LESS 0.000000, DATE_TZ_NA 0.000000, FRAUD_LITTLE_BODY 2.000000, FRAUD_WEBMAIL_R_NOT_F 0.100000, FROM_NAME_PHRASE 0.000000, HTML_00_01 0.050000, HTML_00_10 0.050000, KNOWN_MTA_TFX 0.000000, NO_CTA_URI_FOUND 0.000000, NO_URI_FOUND 0.000000, NO_URI_HTTPS 0.000000, REPLYTO_FROM_DIFF_ADDY 0.100000, SENDER_NO_AUTH 0.000000, SMALL_BODY 0.000000, SXL_IP_TFX_WM 0.000000, TO_DOMAIN_IN_FROM_NOT_SAME 0.000000, WEBMAIL_REPLYTO_NOT_FROM 0.500000, WEBMAIL_SOURCE 0.000000, WEBMAIL_XMAILER 0.000000, __BODY_NO_MAILTO 0.000000, __CT 0.000000, __CTE 0.000000, __CT_TEXT_PLAIN 0.000000, __FRAUD_ANTIABUSE 0.000000, __FRAUD_WEBMAIL 0.000000, __FRAUD_WEBMAIL_REPLYTO 0.000000, __FROM_DOMAIN_NOT_IN_BODY 0.000000, __FUR_HEADER 0.000000, __HAS_FROM 0.000000, __HAS_MSGID 0.000000, __HAS_REPLYTO 0.000000, __HAS_X_MAILER 0.000000, __HAS_X_PRIORITY 0.000000, __HEADER_ORDER_FROM 0.000000, __MIME_TEXT_ONLY 0.000000, __MIME_TEXT_P 0.000000, __MIME_TEXT_P1 0.000000, __MIME_VERSION 0.000000, __MSGID_32HEX 0.000000, __NO_HTML_TAG_RAW 0.000000, __PHISH_SPEAR_STRUCTURE_1 0.000000, __PHISH_SPEAR_STRUCTURE_2 0.000000, __RCPT_HOST_IN_FROM 0.000000, __REPLYTO_GMAIL 0.000000, __REPLYTO_SAMEAS_FROM_NAME 0.000000, __SANE_MSGID 0.000000, __TO_HOST_IN_FROM 0.000000, __TO_MALFORMED_2 0.000000, __TO_NO_NAME 0.000000, __URI_NO_MAILTO 0.000000 X-SASI-Probability: 24% X-SASI-RCODE: 200 X-SASI-Version: Antispam-Engine: 4.1.4, AntispamData: 2022.4.21.134824 X-Authority-Reason: s=1 Received: from [66.113.226.191] (port=38411 helo=cmdesignsolutions.ca) by shared99.accountservergroup.com with esmtpa (Exim 4.93) (envelope-from <ceo.name@xyz.dee>) id 1nhXcV-003R7g-3t for employee.name@xyz.de; Thu, 21 Apr 2022 09:17:19 -0500 Date: Thu, 21 Apr 2022 10:17:18 -0400 To: <employee.name@xyz.de> From: "CEO Name" <ceo.name@xyz.dee> Reply-To: CEO Name <fritzzzlias@gmail.com> Subject: Dringende Anfrage_ Message-ID: <f577c12190b954963c1529c7a3832e16@cmdesignsolutions.ca> X-Priority: 3 X-Mailer: PHPMailer (phpmailer.sourceforge.net) [version ] MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="iso-8859-1" X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - shared99.accountservergroup.com X-AntiAbuse: Original Domain - xyz.de X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - xyz.dee X-BWhitelist: no X-Source-IP: 66.113.226.191 X-Source-L: No X-Exim-ID: 1nhXcV-003R7g-3t X-Source: X-Source-Args: X-Source-Dir: X-Source-Sender: (cmdesignsolutions.ca) [66.113.226.191]:38411 X-Source-Auth: sharon@quicksilverair.com X-Email-Count: 73 X-Source-Cap: cm9nZXJtYXJ0eTtyb2dlcm1hcnR5O3NoYXJlZDk5LmFjY291bnRzZXJ2ZXJncm91cC5jb20= X-Local-Domain: no Return-Path: ceo.name@xyz.dee X-MS-Exchange-Organization-Network-Message-Id: be6d5be2-1e77-44cb-f5d0-08da23a1aa86 X-MS-Exchange-Organization-AuthSource: Exchangeserverhostname X-MS-Exchange-Organization-AuthAs: Anonymous X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.3438702 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2308.020
This thread was automatically locked due to age.