# headers-phish.txt # Part of the following article: https://chris.partridge.tech/2020/email-fraud-or-email-compromise-beginners-guide/ # Published: September 27, 2020 # # The very normal-looking headers of an phishing campaign that piggybacked off existing threads where possible. # License: CC BY-NC-SA 4.0, ref: https://creativecommons.org/licenses/by-nc-sa/4.0/legalcode Delivered-To: Received: by 2002:a4f:6003:0:0:0:0:0 with SMTP id ; Thu, 28 May 2020 06:31:14 -0700 (PDT) X-Google-Smtp-Source: X-Received: by 2002:a92:bbdd:: with SMTP id ; Thu, 28 May 2020 06:31:12 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1590672672; cv=none; ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ header.s= header.b=; spf=neutral (google.com: is neither permitted nor denied by best guess record for domain of ) smtp.mailfrom= Return-Path: Received: from (. []) by mx.google.com with ESMTPS id for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 28 May 2020 06:31:12 -0700 (PDT) Received-SPF: neutral (google.com: is neither permitted nor denied by best guess record for domain of ) client-ip=; Authentication-Results: mx.google.com; dkim=pass header.i=@ header.s= header.b=; spf=neutral (google.com: is neither permitted nor denied by best guess record for domain of ) smtp.mailfrom= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=; X-Auth-ID: Received: by (Authenticated sender: ) with ESMTPSA id for ; Thu, 28 May 2020 09:31:09 -0400 (EDT) X-Sender-Id: Received: from localhost (172-223-074-245.res.spectrum.com [172.223.74.245]) (using TLSv1.2 with cipher DHE-RSA-AES128-GCM-SHA256) by 0.0.0.0:587 (trex/5.7.12); Thu, 28 May 2020 09:31:11 -0400 Date: Thu, 28 May 2020 13:30:55 +0000 To: From: Subject: Re: Message-ID: X-Mailer: Microsoft Office Outlook 12.0 References: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary= X-Classification-ID: This is a multi-part message in MIME format. --b1 Content-Type: multipart/alternative; boundary= --b2 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable