Warning: Do not go clicking phishing links, this entry was constructed in a sandbox, also please do not copy or visit any of the links in the guide, the author accepts no responsibility for silly things you do with this information!!!
Spoiler : No payload - however, malicious email servers are now signing messages with DKIM with neutral SPF records - meaning DMARC is no longer helpful
This is another e-mail which is from "Apple" with a nice little PDF attached here it is, yes I marked as SPAM but this is the message...
Looking at the mail e-mail details, you can seer I have been added as a BCC, when this should be to me directly not as a BCC, weird but then you have a from labelled as "Apple com" and that comes from the domain "great-site.net" with the actual recipient being "support-apple@cancelpayment.com" - now its more suspicious if it was not before, so its not come from Apple and its not directed to myself, more cancelpayment.com.....
| from: | Apple com appstorex44supporrstsrsrseaesraass7272726312@appsyysudy-storrewsea.great-site.net | ||
| to: | support-apple@cancelpayment.com | ||
| bcc: | bear@diepiggydiedie.com | ||
| date: | 24 May 2023, 05:43 | ||
| subject: | Re: Confirm Your App Purchase [Invoice] We will Process your Purchase and we will charge it to your credit card on Wednesday, May 24, 2023 #ID-FFAR55A17A10 | ||
| Signed by: | appsyysudy-storrewsea-great-site-net.20221208.gappssmtp.com |
| security: | Standard encryption (TLS) |
Unfortunately in this instance SPF and DKIM wont help here at all as the DKIM record is actually correct it is from the server below, which is NOT an Apple server, also SPF is not helpful here as it does not say "Fail" but this should be "Pass" if it was valid.
Then lets move onto the attachment, this has been scanned by Gmail but the issue is not with the file, more the links within the PDF so that will not help you out here.....
Message headers for this message are actually not that bad, except they are signed by a malicious server so they are not that helpful, there is no Base64 content in the message though like last time.
Now the PDF, this is it and its a game I have never purchased with a price that is not correct, and its a refund for something I do not have as I have never paid for it......
It gets worse from here, this is the click region and the red boxes show the issues
However all the links navigate you to this website, which is not Apple but Yahoo webmail with a hidden link......
Luckily like many other responsible link shorten services they are removing suspicious links which is great - kudos to this service, but some are not that bothered about your security.
However that does not stop that link being reported in the signatures of good sandbox services
This is then reflected on the MITRE matrix as a defence evasion:
