Serious Discussion What’s in your Junk Mail folder? (Mega Thread)

Zero Knowledge

Level 20
Verified
Top Poster
Content Creator
Dec 2, 2016
841
Posting pictures of the alert is not good enough. It means nothing! We can't tell if it's legit or phishing attempt. You need to post a picture of the link it asks you to go to. Either hover above the link to show full URL or copy it and paste here. That's the only way we can help you!
 

always_forever

Level 1
Jul 1, 2021
47
Like all of us, I get my share of SPAM and do my best to filter it directly to the junk folder.

However, I received one last night that concerns me and is different than any other to hit my inbox.

1689959743240.png


This message arrived in my Outlook client and was addressed to a gmail address that isn't mine (but is similar and is using my name). I've never seen SPAM like that before (assuming it is).

To start with, is it even possible to spoof the "To" field? I did some research and couldn't find a definitive answer.

Ultimately, I'm trying to determine if this is someone who established a gmail address (to set up potential identity theft) and then set up the address to forward automatically to my Outlook email address before using the gmail address to establish a Microsoft account...or if it is SPAM with a spoofed "To" field that is safe to ignore.

The thing is...it certainly looks like a legitimate email from Microsoft and the "From" field (which I know can be spoofed) is a legitimate Microsoft email address. I did use a header analysis tool at MxToolbox and used the new tool at Sopholabs Intelix to analyze the contained URLs. The URLs came back as low risk and did not appear to be malicious but the MxToolbox header analysis showed:
I do realize that the cut-and-paste of the header can negatively impact the ability to analyze it so I'm not sure if that's an issue here.

In any event, any insight from those with such knowledge would be sincerely appreciated.

Usually, I can determine if an email is spam or not but I don't know what's going on with this one. Did someone create a gmail address using my name and then use it to sign up for a Microsoft account? Then somehow the email was sent or forwarded to my Outlook address with the gmail address in the "To" field?

Or is this just SPAM? If it is SPAM, I don't see what could hope to be gained by the scammer as there are no clickable links in the email. So why would they send it?

How can I tell which it is? Willing to do some more legwork but I've hit a brick wall with this one. Maybe there is some other information in the header that I could look for?
 

always_forever

Level 1
Jul 1, 2021
47
Just delete it and move on...
I'd like to but if it's a set-up for potential identity theft, I'd like to know as I could be more proactive. There has to be a way to tell. I'd also like to gain a better understanding of how an email sent (or, at least, appearing to be) to a gmail address was delivered in an Outlook inbox. Or, if it's spam, I'd like to know how to determine that because it definitely appears to be a legitimate Microsoft email.

I think there is a lot to learn from this and I'd like to. It would also help me sleep better at night to know. I like to understand all the scams out there as there are so many these days.

There have to be some knowledgeable people on this forum who could read this and help me gain some insight. It would be really helpful and appreciated.
 

Trident

Level 27
Verified
Top Poster
Well-known
Feb 7, 2023
1,629
The email looks legit. It is not spam or any type of fraud as it does not create a sense of urgency and does not require anything from you — they’ve merely sent out a code. Someone may have typed your email by mistake or maybe your data already leaked from before, and now someone wants to know if you have an MS account. Either way, they won’t get the code if your Google account is secure.
 

always_forever

Level 1
Jul 1, 2021
47
The email looks legit. It is not spam or any type of fraud as it does not create a sense of urgency and does not require anything from you — they’ve merely sent out a code. Someone may have typed your email by mistake or maybe your data already leaked from before, and now someone wants to know if you have an MS account. Either way, they won’t get the code if your Google account is secure.
Thanks so much for your reply. I agree that it does look legit.

Typed which email by mistake? And how a gmail address even arrive in my outlook inbox without it being obvious that it was a forward of some sort simply by looking at the email itself? The "To" field was a gmail address that I don't have control over and don't think I ever had. It's very similar to one I do have and uses my exact name.

I don't understand how in the world an email sent to a gmail account could arrive in my outlook inbox as there was no mention of my hotmail address at all other than in the header. It doesn't appear as a forwarded email at first glance which I've never seen before. It was referenced in the header several times (with forwarding information) and here are some excerpts that might help make sense of this:

sender ip is xxx.xx.xxx.xx smtp.rcpttodomain=hotmail.com smtp.mailfrom=gmail.com;

received: by mail-lf1-f48.google.com with SMTP for <xxxxxx@hotmail.com

X-Forwarded-To: xxxxxx@hotmail.com

X-Forwarded-For: xxxxxx@gmail.com xxxxxx@hotmail.com

Delivered-To: xxxxxx@gmail.com

Also, abuseipdb.com shows the ISP being Google LLC with the IP in the header as being reported for abuse 49 times for such things as Port Scanning, SMTP Bruteforce attempts, multiple sign-in attempts from blocked location, crypto email spam with infected PDF, and IP permits gmail user to send phishing emails.

If this was merely a mistyped email somewhere (was it the gmail or hotmail that would have been input?), why did that person who is using a gmail account with my name also know my personal hotmail address? That seems like it's malicious and not an honest mistake. It just doesn't add up.

Best I can tell, assuming that it's a legit email from Microsoft, is that someone (who knows my personal hotmail email address) signed up for a gmail account in my name (or already had it prior), set up a forward in their gmail account to my hotmail (or somehow associated the hotmail account with their gmail account otherwise), and then signed up for a Microsoft account.

Why though if they knew that they wouldn't be able to retrieve the code unless they thought that they could somehow? To me, this seems like either an identity theft attempt or a potential account takeover attempt of some sort. If this is a scammer, it seems like they went to some lengths and I'd like to know what they're trying to do so I can protect myself. This really does seem malicious to me but what really bothers me is that, if it is, I don't know what the ploy is so I can't defend myself.
 

always_forever

Level 1
Jul 1, 2021
47
The message may have been redirected by the mailing daemon. If you use 2FA on all accounts, preferably via authenticator, they will have hard time taking over your accounts. Have you checked for data leaks?
Why would it be redirected from a gmail email I've never had (but is my name) to a hotmail email address I've hard for years, though? I don't understand. Even if it was redirected, wouldn't that be clearly reflected just by looking at the email?

That's one of the fishy things here with no pun intended ;]

I do use 2FA on all accounts and it's worth noting that the hotmail isn't one that's used for sign-in at this time and any associated passwords related to the account have been upgraded numerous times. I imagine it's possible that the Outlook client could be hacked, though, which that IP was also associated with.

That particular hotmail email has been involved in a number of leaks over the years and I've been actively phasing it out (I can't wait to delete it as I know Microsoft doesn't recycle them). I'm almost there but I want to fully understand what happened here before I delete it forever. The aforementioned gmail address shows no leaks on haveibeenpwned.com, for what that's worth...which makes me think it's fairly new with all the database breaches these days and over the last few years.
 
  • Like
Reactions: piquiteco

brambedkar59

Level 29
Verified
Top Poster
Well-known
Apr 16, 2017
1,869
Email with really weird formatting, x10 of space in between different lines. Then some other language used (German I think), it doesn't seem coherent. Makes no sense to me.

1696559132613.png

Hi.

Yоur bаlаnсе: 1.3426 ВТС ($35848.76) 💲

All details in your personal cabinet.

>> Click <<


7592 I am thinking: where is God? 8492

I am thinking: where is God? 6286 From early on she loved romances,

9194 I am thinking: where is God? 8521

krank werden, und ich leide! .. Jetzt, anstatt sich auf die Abschlussprufungen vorzubereiten, zu denen es etwas weniger als eine Woche gibt, versuche ich irgendwieand, when one's least prepared for it
and, when one's least prepared for itand, when one's least prepared for it
at sunken wax inside a bowl:
Don't let a ghost be your bear-leader,
at sunken wax inside a bowl:
from thirty down to two; and stop,
impatient, hatred flaming high;
 
  • Wow
Reactions: oldschool

uninfected1

Level 11
Verified
Top Poster
Well-known
Jan 28, 2016
525
A certain Mr Katanga keeps on emailing me saying he was left a lot of money by a relative, in fact too much for him, and would like to give it to me. He is very persistent and seems a jolly nice chap. Surely he isn't one of these nasty scammers.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top