Major gaming tech manufacturer phishing email.

Associate
Joined
30 Nov 2013
Posts
1,485
Location
UK
Hi All,

I recently received a phishing email:

6KHegAp.png

The sender address is a large tech/gaming manufacturer.

I made the company aware of the situation on Sunday 26th May.

Nothing heard until today where they have sent out a mass email to their customers.

Is 6 days sitting on the information normal is regards to these matters?
 

Ree

Ree

Associate
Joined
22 Aug 2016
Posts
2,478
i got an email from msi about this today. never received the original email that its on about though.
 
Soldato
Joined
9 Mar 2012
Posts
10,072
Location
West Sussex, England
Judging by the msg headers I would say this says it's a spoofed sender address and most likely why it was swept into junk automatically...

I've not had an email from msi to warn about it though.

Received-SPF: None (protection.outlook.com: cpanel.isbiroptik.com does not designate permitted sender hosts)
 
Soldato
Joined
9 Mar 2012
Posts
10,072
Location
West Sussex, England
Here's the full headers (with my email obfuscated)...

Code:
Received: from BL2NAM02HT063.eop-nam02.prod.protection.outlook.com
(2603:10a6:803:a0::43) by VE1PR09MB3294.eurprd09.prod.outlook.com with HTTPS
via VI1PR06CA0150.EURPRD06.PROD.OUTLOOK.COM; Sat, 25 May 2019 22:34:35 +0000
Received: from BL2NAM02FT022.eop-nam02.prod.protection.outlook.com
(10.152.76.57) by BL2NAM02HT063.eop-nam02.prod.protection.outlook.com
(10.152.77.73) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1922.16; Sat, 25 May
2019 22:34:34 +0000
Authentication-Results: spf=none (sender IP is 212.175.12.130)
smtp.mailfrom=cpanel.isbiroptik.com; hotmail.com; dkim=none (message not
signed) header.d=none;hotmail.com; dmarc=none action=none
header.from=msi.com;
Received-SPF: None (protection.outlook.com: cpanel.isbiroptik.com does not
designate permitted sender hosts)
Received: from cpanel.isbiroptik.com (212.175.12.130) by
BL2NAM02FT022.mail.protection.outlook.com (10.152.77.153) with Microsoft SMTP
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id
15.20.1922.16 via Frontend Transport; Sat, 25 May 2019 22:34:34 +0000
X-IncomingTopHeaderMarker:
OriginalChecksum:8470BBA7EFB74747B31F14599B7F3D5756F4400360EFF7C5332FA447EFFC5C04;UpperCasedChecksum:5AC579D75D366CE7EE688C78C260D7ECE3BE94CE20F9D2A3C01E02931C672F7C;SizeAsReceived:1504;Count:22
Received: from isbiroptik by cpanel.isbiroptik.com with local (Exim 4.91)
(envelope-from <[email protected]>)
id 1hUfFI-0007td-Kf
for ****@hotmail.com; Sun, 26 May 2019 01:34:32 +0300
To: ****@hotmail.com
Subject: =?UTF-8?B?QWNjb3VudCBBbGVydDogWW91ciBBcHBsZSBJRCB3YXMgdXNlZCB0byBzaWduIGluIGZyb20gYW5vdGhlciBsUCBBZGRyZXNzIGluIEluZG9uZXNpYSAoNS8yNi8yMDE5IDQ6MDk6NTIgUE0gKQ==?=
X-PHP-Script: bulten.isbiroptik.com/admin/temp/surveys/6661/2/asu.php for 35.222.223.210
X-PHP-Originating-Script: 501:asu.php
From: =?UTF-8?B?QXBwU3RvcmU=?= <[email protected]>
Content-type: multipart/mixed; boundary="--GuXzKLastB"
Reply-To: [email protected]
Message-Id: <[email protected]>
Sender: <[email protected]>
Date: Sun, 26 May 2019 01:34:32 +0300
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - cpanel.isbiroptik.com
X-AntiAbuse: Original Domain - hotmail.com
X-AntiAbuse: Originator/Caller UID/GID - [501 501] / [47 12]
X-AntiAbuse: Sender Address Domain - cpanel.isbiroptik.com
X-Get-Message-Sender-Via: cpanel.isbiroptik.com: authenticated_id: isbiroptik/only user confirmed/virtual account not confirmed
X-Authenticated-Sender: cpanel.isbiroptik.com: isbiroptik
X-Source:
X-Source-Args: php-fpm: pool bulten_isbiroptik_com
X-Source-Dir: isbiroptik.com:/bulten.isbiroptik.com/admin/temp/surveys/6661/2
X-IncomingHeaderCount: 22
Return-Path: [email protected]
X-MS-Exchange-Organization-ExpirationStartTime: 25 May 2019 22:34:34.4204
(UTC)
X-MS-Exchange-Organization-ExpirationStartTimeReason: OriginalSubmit
X-MS-Exchange-Organization-ExpirationInterval: 2:00:00:00.0000000
X-MS-Exchange-Organization-ExpirationIntervalReason: OriginalSubmit
X-MS-Exchange-Organization-Network-Message-Id:
abf8d9d8-13d2-4905-a038-08d6e1612985
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa:0
X-MS-Exchange-Organization-MessageDirectionality: Incoming
X-Forefront-Antispam-Report: EFV:NLI;
X-MS-Exchange-Organization-AuthSource:
BL2NAM02FT022.eop-nam02.prod.protection.outlook.com
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-PublicTrafficType: Email
X-MS-UserLastLogonTime: 5/25/2019 9:37:14 PM
X-MS-Office365-Filtering-Correlation-Id: abf8d9d8-13d2-4905-a038-08d6e1612985
X-Microsoft-Antispam:
BCL:0;PCL:0;RULEID:(2390118)(5000113)(711020)(4605104)(610169)(8291501072);SRVR:BL2NAM02HT063;
X-MS-TrafficTypeDiagnostic: BL2NAM02HT063:
X-MS-Exchange-PUrlCount: 1
X-MS-Exchange-EOPDirect: true
X-Sender-IP: 212.175.12.130
X-SID-PRA: [email protected]
X-SID-Result: NONE
X-MS-Exchange-Organization-PCL: 2
X-OriginatorOrg: outlook.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 25 May 2019 22:34:34.1251
(UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: abf8d9d8-13d2-4905-a038-08d6e1612985
X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg:
00000000-0000-0000-0000-000000000000
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL2NAM02HT063
X-MS-Exchange-Organization-ExpirationInterval: 1:00:00:00.0000000
X-MS-Exchange-Organization-ExpirationIntervalReason: FlexTransport
X-MS-Exchange-Transport-EndToEndLatency: 00:00:01.1301205
X-MS-Exchange-Processed-By-BccFoldering: 15.20.1922.000
X-Microsoft-Antispam-Mailbox-Delivery:
abwl:0;wl:0;pcwl:0;kl:0;iwl:0;dwl:0;dkl:0;rwl:0;ucf:0;jmr:0;ex:0;psp:0;auth:0;dest:J;OFR:SpamFilterAuthJ;ENG:(5062000261)(5061607266)(5061608174)(4900115)(8390100)(8377080)(8376100)(8386120)(8375121)(4920090)(6380081)(4950130)(4990090)(9140004);RF:JunkEmail;
X-Message-Info:
qoGN4b5S4yq0/zlyHv5xRFX9EtuW4SUMcX0M1fXnCA3C8KfxkUgn0Kp1Jy0yprVkXdKPM1RswBS6bSm1BQnM6WtYYxKrDoW9CCpO+mZD1gjxVpN73i70RXDqGQ87zzzGDszeqVF1URvHoMtFNyrUhAdQX+wXeaTsEu7T03b27ecMMozIsGa66FfzZbji3x9fho/oYohBE3zo9VFUjb7TJA==
X-Message-Delivery: Vj0xLjE7dXM9MDtsPTE7YT0xO0Q9MjtHRD0xO1NDTD02
X-Microsoft-Antispam-Message-Info:
EYfXzkToqm4w+PxoJyl24QrUBE3ff836Kkcl5Lw/7BnEbV7d9XUazVWEMK0wkc+VUpI43n0XYCNCOuCQUtFQ0zYeJTX7GYhUwoA3uRZFSW0SbI7ijl3ppRHiDZvbcx91OsWFQueT2UDuTJek0o5Y8+oLPqQ17drRPWwoXoixLXfUwdzUW1uMCEV4YdI5dS0BmHrZH5i0kUA7KKiatVyoxcD/bVvBvVH4oa0oO8qQrCqFS2eOF1dlHRbb8BoKDDDFwS2fAiZcvmOnnS0B4oggrEbKOvGKfg5ze4HZNiqNpMGP6+pqnSqq8SJiPF09M9+VIwzTnBTkHG2qgBxXIwDcencxOhvfkdzkAoNEBwt0PKfnGY988C3ohnT9+EpF9HbXfpl4EJqAaJtS4YqD2KH9/hXMAY+GnNj2ipE5+AUBzWdq8IuDZJlDfdVcaxk+Q0tbHjXkxb5WDOo6AJhlQCfzsLZts73PExGGNv0hjboqp0QKF15dz5Mw6IFI+atYH2gC844my8YgA/ILHLYJPZAw4WWSipdCfS/1twwEKaHNLvRdykPfvwkT/fDGxAuAmIniOdiQMPLex4l0zItVRJY7H2qMaaI3VKu5u7HbdMMelRm6vgi7ITHZVOd3n7hGzlLLMxJjIUov6JebanjYOoMny4+eYDxnZ2EPNeycStVJdqMVpSJwjFLrNkTMIf7W7+Yx5jjs9+AdIlTzg1nBAyaeWFKAn02McMv1Pd/1d8iqj1gZDdBVwAPqqmFIIYiaHdxWKuS9awXdv29We+5/ON9iw2DOlIoKewZtE4mga2g0X5n1wwkD/NIlWyaF+6n7fGI7
MIME-Version: 1.0
 
Associate
OP
Joined
30 Nov 2013
Posts
1,485
Location
UK
Here's the full headers (with my email obfuscated)...

Code:
Received: from BL2NAM02HT063.eop-nam02.prod.protection.outlook.com
(2603:10a6:803:a0::43) by VE1PR09MB3294.eurprd09.prod.outlook.com with HTTPS
via VI1PR06CA0150.EURPRD06.PROD.OUTLOOK.COM; Sat, 25 May 2019 22:34:35 +0000
Received: from BL2NAM02FT022.eop-nam02.prod.protection.outlook.com
(10.152.76.57) by BL2NAM02HT063.eop-nam02.prod.protection.outlook.com
(10.152.77.73) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1922.16; Sat, 25 May
2019 22:34:34 +0000
Authentication-Results: spf=none (sender IP is 212.175.12.130)
smtp.mailfrom=cpanel.isbiroptik.com; hotmail.com; dkim=none (message not
signed) header.d=none;hotmail.com; dmarc=none action=none
header.from=msi.com;
Received-SPF: None (protection.outlook.com: cpanel.isbiroptik.com does not
designate permitted sender hosts)
Received: from cpanel.isbiroptik.com (212.175.12.130) by
BL2NAM02FT022.mail.protection.outlook.com (10.152.77.153) with Microsoft SMTP
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id
15.20.1922.16 via Frontend Transport; Sat, 25 May 2019 22:34:34 +0000
X-IncomingTopHeaderMarker:
OriginalChecksum:8470BBA7EFB74747B31F14599B7F3D5756F4400360EFF7C5332FA447EFFC5C04;UpperCasedChecksum:5AC579D75D366CE7EE688C78C260D7ECE3BE94CE20F9D2A3C01E02931C672F7C;SizeAsReceived:1504;Count:22
Received: from isbiroptik by cpanel.isbiroptik.com with local (Exim 4.91)
(envelope-from <[email protected]>)
id 1hUfFI-0007td-Kf
for ****@hotmail.com; Sun, 26 May 2019 01:34:32 +0300
To: ****@hotmail.com
Subject: =?UTF-8?B?QWNjb3VudCBBbGVydDogWW91ciBBcHBsZSBJRCB3YXMgdXNlZCB0byBzaWduIGluIGZyb20gYW5vdGhlciBsUCBBZGRyZXNzIGluIEluZG9uZXNpYSAoNS8yNi8yMDE5IDQ6MDk6NTIgUE0gKQ==?=
X-PHP-Script: bulten.isbiroptik.com/admin/temp/surveys/6661/2/asu.php for 35.222.223.210
X-PHP-Originating-Script: 501:asu.php
From: =?UTF-8?B?QXBwU3RvcmU=?= <[email protected]>
Content-type: multipart/mixed; boundary="--GuXzKLastB"
Reply-To: [email protected]
Message-Id: <[email protected]>
Sender: <[email protected]>
Date: Sun, 26 May 2019 01:34:32 +0300
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - cpanel.isbiroptik.com
X-AntiAbuse: Original Domain - hotmail.com
X-AntiAbuse: Originator/Caller UID/GID - [501 501] / [47 12]
X-AntiAbuse: Sender Address Domain - cpanel.isbiroptik.com
X-Get-Message-Sender-Via: cpanel.isbiroptik.com: authenticated_id: isbiroptik/only user confirmed/virtual account not confirmed
X-Authenticated-Sender: cpanel.isbiroptik.com: isbiroptik
X-Source:
X-Source-Args: php-fpm: pool bulten_isbiroptik_com
X-Source-Dir: isbiroptik.com:/bulten.isbiroptik.com/admin/temp/surveys/6661/2
X-IncomingHeaderCount: 22
Return-Path: [email protected]
X-MS-Exchange-Organization-ExpirationStartTime: 25 May 2019 22:34:34.4204
(UTC)
X-MS-Exchange-Organization-ExpirationStartTimeReason: OriginalSubmit
X-MS-Exchange-Organization-ExpirationInterval: 2:00:00:00.0000000
X-MS-Exchange-Organization-ExpirationIntervalReason: OriginalSubmit
X-MS-Exchange-Organization-Network-Message-Id:
abf8d9d8-13d2-4905-a038-08d6e1612985
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa:0
X-MS-Exchange-Organization-MessageDirectionality: Incoming
X-Forefront-Antispam-Report: EFV:NLI;
X-MS-Exchange-Organization-AuthSource:
BL2NAM02FT022.eop-nam02.prod.protection.outlook.com
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-PublicTrafficType: Email
X-MS-UserLastLogonTime: 5/25/2019 9:37:14 PM
X-MS-Office365-Filtering-Correlation-Id: abf8d9d8-13d2-4905-a038-08d6e1612985
X-Microsoft-Antispam:
BCL:0;PCL:0;RULEID:(2390118)(5000113)(711020)(4605104)(610169)(8291501072);SRVR:BL2NAM02HT063;
X-MS-TrafficTypeDiagnostic: BL2NAM02HT063:
X-MS-Exchange-PUrlCount: 1
X-MS-Exchange-EOPDirect: true
X-Sender-IP: 212.175.12.130
X-SID-PRA: [email protected]
X-SID-Result: NONE
X-MS-Exchange-Organization-PCL: 2
X-OriginatorOrg: outlook.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 25 May 2019 22:34:34.1251
(UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: abf8d9d8-13d2-4905-a038-08d6e1612985
X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg:
00000000-0000-0000-0000-000000000000
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL2NAM02HT063
X-MS-Exchange-Organization-ExpirationInterval: 1:00:00:00.0000000
X-MS-Exchange-Organization-ExpirationIntervalReason: FlexTransport
X-MS-Exchange-Transport-EndToEndLatency: 00:00:01.1301205
X-MS-Exchange-Processed-By-BccFoldering: 15.20.1922.000
X-Microsoft-Antispam-Mailbox-Delivery:
abwl:0;wl:0;pcwl:0;kl:0;iwl:0;dwl:0;dkl:0;rwl:0;ucf:0;jmr:0;ex:0;psp:0;auth:0;dest:J;OFR:SpamFilterAuthJ;ENG:(5062000261)(5061607266)(5061608174)(4900115)(8390100)(8377080)(8376100)(8386120)(8375121)(4920090)(6380081)(4950130)(4990090)(9140004);RF:JunkEmail;
X-Message-Info:
qoGN4b5S4yq0/zlyHv5xRFX9EtuW4SUMcX0M1fXnCA3C8KfxkUgn0Kp1Jy0yprVkXdKPM1RswBS6bSm1BQnM6WtYYxKrDoW9CCpO+mZD1gjxVpN73i70RXDqGQ87zzzGDszeqVF1URvHoMtFNyrUhAdQX+wXeaTsEu7T03b27ecMMozIsGa66FfzZbji3x9fho/oYohBE3zo9VFUjb7TJA==
X-Message-Delivery: Vj0xLjE7dXM9MDtsPTE7YT0xO0Q9MjtHRD0xO1NDTD02
X-Microsoft-Antispam-Message-Info:
EYfXzkToqm4w+PxoJyl24QrUBE3ff836Kkcl5Lw/7BnEbV7d9XUazVWEMK0wkc+VUpI43n0XYCNCOuCQUtFQ0zYeJTX7GYhUwoA3uRZFSW0SbI7ijl3ppRHiDZvbcx91OsWFQueT2UDuTJek0o5Y8+oLPqQ17drRPWwoXoixLXfUwdzUW1uMCEV4YdI5dS0BmHrZH5i0kUA7KKiatVyoxcD/bVvBvVH4oa0oO8qQrCqFS2eOF1dlHRbb8BoKDDDFwS2fAiZcvmOnnS0B4oggrEbKOvGKfg5ze4HZNiqNpMGP6+pqnSqq8SJiPF09M9+VIwzTnBTkHG2qgBxXIwDcencxOhvfkdzkAoNEBwt0PKfnGY988C3ohnT9+EpF9HbXfpl4EJqAaJtS4YqD2KH9/hXMAY+GnNj2ipE5+AUBzWdq8IuDZJlDfdVcaxk+Q0tbHjXkxb5WDOo6AJhlQCfzsLZts73PExGGNv0hjboqp0QKF15dz5Mw6IFI+atYH2gC844my8YgA/ILHLYJPZAw4WWSipdCfS/1twwEKaHNLvRdykPfvwkT/fDGxAuAmIniOdiQMPLex4l0zItVRJY7H2qMaaI3VKu5u7HbdMMelRm6vgi7ITHZVOd3n7hGzlLLMxJjIUov6JebanjYOoMny4+eYDxnZ2EPNeycStVJdqMVpSJwjFLrNkTMIf7W7+Yx5jjs9+AdIlTzg1nBAyaeWFKAn02McMv1Pd/1d8iqj1gZDdBVwAPqqmFIIYiaHdxWKuS9awXdv29We+5/ON9iw2DOlIoKewZtE4mga2g0X5n1wwkD/NIlWyaF+6n7fGI7
MIME-Version: 1.0

Can you give a layman explanation of that please?

Why don't you just say 'MSI'?

I've had run ins with MSI historically, I don't want to appear biased.

It has come to our recent attention that an unknown third party may have gained access to a third party software for the website <emailing.msi.com> operated by, or on behalf of MSI (the “Affected Website”). As a result, some of your account information limited only to your first name and email address may have been affected (together, the “Affected Data”). Within less than one (1) hour after learning of this incident, we took immediate steps to secure the Affected Website and ensure that the unauthorised third parties obtained no further data. Specifically, the actions we have taken include: i) shutting down the affected server and Affected Website; ii) conducting software and hardware scans for vulnerabilities and/or malicious scripts; iii) removing the Affected Website and hardware from MSI’s servers; iv) MSI IT teams installing updates to the third party software and rescanning for vulnerabilities; v) MSI IT teams setting up new website software and server locations with updated software and hardware protections. We then re-checked for potential vulnerabilities. We continue to monitor for suspicious activities and believe only a very small number of users may have been affected. We regret that this incident may affect you. We take our obligation to safeguard personal data very seriously and are taking steps to help prevent this type of incident from reoccurring. Based on our investigation and findings to-date, we can reassure you that None of your account password, financial data, or other data of a sensitive or potentially harmful nature had been affected. We also have no evidence that any of the Affected Data, or your MSI accounts or services, have been misused as a result of this incident. We have notified the relevant data protection authority and will work with them to limit any further impact of that this incident may have.

Was MSI's response.
 
Associate
Joined
9 Jan 2019
Posts
885
Spoofed emails are a massive problem, i recently had an academic director who appeared to be sending out mass emails of... well not to great a content.
Was just spoofed address but trying to explain to this person that there was little we could do was not easy.
 
Soldato
Joined
9 Mar 2012
Posts
10,072
Location
West Sussex, England
Can you give a layman explanation of that please?

snip

I don't fully understand them myself since I'm not sure which bits can be relied upon to be true, they get added at different stages, the lines nearest the top are added by your own email provider.

In short, the headers are a mix of entries that are either created at message creation time by the email client or script as seems to be the case with this one, and each server that handles the receipt of the message.

The sender is asserting that the from address is msi.com but I suspect msi.com has spf and dkim records set up on their dns to prevent someone from successfully spoofing their address e.g. ensuring the message gets marked as spam. This is because those dns records don't identify the senders actual address (<[email protected]>) as having the authority to send messages on behalf of msi.com. The 'spf=none' and 'dkim=none' are things I'd expect to see genuine organisations using too but these are not set for 'cpanel.isbiroptik.com'.


more info in these....

https://mediatemple.net/community/products/dv/204643950/understanding-an-email-header

https://whatismyipaddress.com/email-header
 
Back
Top Bottom