Parcel Delivery Scams & Fail Delivery Texts to Your Mobile

[kas]

My mother almost fell for this scam but was smart enough to check the sending email address as it was from hotmail.co.uk (glad it was not spoofed) as well as to ask a few questions such as the expected date of her delivery not matching the printed out receipt for her order from amazon.

This time of year scams are higher because of online gift purchases for Christmas and beating the delays in shipping to recipients. Also especially due to the Pandemic more people are purchasing online.

From: MyCanadapost <ellisd3@hotmail.co.uk>
To: <OMITTED>
Sent: Monday, November 15, 2021, 10:39:52 a.m. EST
Subject: Confirmation of Shipment Details for Item / Confirmation des détails de l'envoi de l'article - November 2021 - 09:38:53 Paiement Reçu / [POST.CA]

Parcel not delivered!

Ticket no: 92825 | Date: 11/15/2021

Canada Post [SEE MORE]

Dear,

Your parcel no: 68318873456 was not delivered do to an incorrect address or phone number. The first delivery was free of charge, but if you wish us to try a new delivery a small fee of 1.88 CAD is applied, please provide the correct details: address, phone number.

Request new delivery!

2021 Canadapost.ca
Unsubscribe from this mailing list.

2 links in email:

One for the text SEE MORE: hxxps://s3.amazonaws.com/zaeouybv/EdmUSHJa.html
And one for Request new delivery: Same link as above.

The Unsubscribe from this mailing list has no link which I am not sure Canada Post would have that at the bottom anyway.


Tracing the link from the email shows that it redirects to another.
wheregoes.com/trace/202110413151/

Various scans show that the particular page (http://rtyuioomgrdsewvc.merseine.com/onmse/) is down (error code 500: Internal Server Error) where the site itself is not showing anything virus wise. Possibly a phishing site but looks like I would have to investigate closer to confirm this. However, I am pretty sure going by the phishing email itself that the site is designed to steal your information.

validator.w3.org/check?uri=http%3A%2F%2Frtyuioomgrdsewvc.merseine.com

www.urlvoid.com/scan/rtyuioomgrdsewvc.merseine.com/

The link is shown to be malicious but most security scans show it as being down due to server error (possibly taken down by Webroot):

www.virustotal.com/gui/url/8eb328272fd0716e29664efbb320651886080ba25dceb0e13ee2804c219a1451/details

scanurl.net/u/rtyuioomgrdsewvc-merseine-com-onmse

It is possible that the site or page at least got taken down after the email was sent out:

www.phishtank.com/phish_detail.php?phish_id=7351847

[kas]

More on this scam here:

saultonline.com/2021/04/canada-post-warns-residents-of-a-phishing-e-mail/

and here

www.canadapost-postescanada.ca/cpc/en/support/kb/security/general-information/what-do-to-if-you-get-suspicious-email

For more security info on scams like this check out www.antifraudcentre-centreantifraude.ca/index-eng.htm

[kas]

Another that is similar:

Received: from 10.197.34.205 (mail.bf1.yahoo.com)
X-Originating-Ip: [198.37.146.44]
spf=pass smtp.mailfrom=smtp.freshdesk.com;
dmarc=pass(p=NONE) header.from=newaccount1639142557379.freshdesk.com;
Received: from 198.37.146.44 (EHLO o32.email.freshdesk.com)
Fri, 10 Dec 2021 17:48:24 +0000
X-Received: from ip-10-21-64-85.ap-southeast-2.compute.internal (EHLO freshdesk.com) ([10.21.64.85])
by mxau.freshdesk.com (Freshworks SMTP Server) with ESMTPA ID -223178601.
Date: Fri, 10 Dec 2021 17:48:22 +0000 (UTC)
From: "USPS(Track&trac)!" <support@newaccount1639142557379.freshdesk.com>
Reply-To: "USPS(Track&trac)!"
Subject: Re: FWD:New Message12/10/2021 05:48:21 pm

Your delivery is pending in our warehouse due to wrong delivery address and unpaid delivery service.
Expected delivery date: 13/12/2021 12:00 - 15:00
Check out the link below and follow the instructions.
delivery management t.co/qrL8n1GKGc

Customer service

© 2021 All Rights Reserved

This one uses a twitter short link to avoid having spam filters blocking domains with a bad reputation.

ip-address-lookup-v4.com/lookup.php?host=ip-address-lookup-v4.com&ip=198.37.146.44&x=49&y=29

[kas]

Just got one today which somehow bypassed my spam filter (while in Canada using Cogeco Cable Forwarded to Yahoo while traveling) even though it is the same type of format as others which have been caught. I have omitted any permanent private info.

SUBJECT: [97557177] Please correct the delivery address. 2/17/2022-01:41:18


FROM: e-Ticket CBF928 <mondo92@hotmail.com> (Could be a hacked email account)
To: OMITTED
Date: Wed, Feb 16 at 7:41 p.m.

Dear Customer OMITTED , [392876]

Today 2/17/2022-01:41:18 we couldn't find you at the destination. AWB:[20847628620583]

Please correct the delivery address: [01242257]

Schedules Now

(Link went to hxxps://javicasado.es/it.html?101736477/OTUwNDYzMTQ2MzY4NjM1)

Scanners that show it is not a safe site to visit:

Norton:

safeweb.norton.com/report/show?url=https%3A%2F%2Fjavicasado.es%2Fit.html%3F101736477%2FOTUwNDYzMTQ2MzY4NjM1

Threat Report

This is a known dangerous webpage. It is highly recommended that you do NOT visit this page.

Google Transparency Report:

transparencyreport.google.com/safe-browsing/search?url=https:%2F%2Fjavicasado.es%2Fit.html%3F101736477%2FOTUwNDYzMTQ2MzY4NjM1

This site is unsafe

The site https://javicasado.es/it.html?101736477/OTUwNDYzMTQ2MzY4NjM1 contains harmful content, including pages that:

Try to trick visitors into sharing personal info or downloading software

ScanURL does not yet detect any danger. It checks PhishTank and WOT. I have submitted just now to PhishTank and will to WOT as well. scanurl.net/u/javicasado-es-it-html-101736477-OTUwNDYzMTQ2MzY4NjM1

URLVoid

www.urlvoid.com/scan/javicasado.es/

FortiGuard

www.fortiguard.com/ip_rep/index.php?data=javicasado.es



Headers:

Received: from 10.217.136.215
by atlas125.free.mail.ne1.yahoo.com with HTTPS; Thu, 17 Feb 2022 00:41:49 +0000
Return-Path: <mondo92@hotmail.com>
X-Originating-Ip: [66.226.81.39]
Received-SPF: softfail (domain of transitioninghotmail.com does not designate 66.226.81.39 as permitted sender)
Authentication-Results: atlas125.free.mail.ne1.yahoo.com;
dkim=pass header.i=@cogeco.ca header.s=email;
dkim=perm_fail header.i=@hotmail.com header.s=selector1;
spf=softfail smtp.mailfrom=hotmail.com;
dmarc=fail(p=NONE) header.from=hotmail.com;
X-Apparently-To: [b]OMITTED[/b]; Thu, 17 Feb 2022 00:41:50 +0000
X-YMailISG: n7xcucsWLDtaZ744edzksGrCGfOFlAyCzr.LGIfOqkoeo4X2
F.nUE0gZ8bIiW8UdKIcWm0u8tcyKkOXKM5LjbARCEXL9NUdHYyE0H.4W6kxZ
U58uMqgMT7pnaUvbXBbZhRFunXRvVcv3wswyDjb62lMVnp4MM7NJD2pxYUET
bgbQPidtdS2pUen54gz0TwogGHoFiQ9WTQBPUrxUWsBhwNXI.mOxlzM8q7aI
OISLxhflncwMBa46QxvF24ycJ9jVh3CeSFa9FHVqwhYmcMfyE3RAY4xxxDS4
yBmMgW918cq0c_pud9it55Ihh9wVWCI2mhtZHZaxYDcaHjO7B1vwNFuNFVB.
7GQPjpjmUagypM6X9To55wVpEKUUZRXrh0L6yI2K.TKUEvbGFAYXzowfwB6F
VOyaRejGKxU3IpIbemM5jz7alI_mkP.qvEH0TiPYZOn.GxKER7mWPlY2YWvd
ky83olQ8gMqw0sWOpqen8_z1wDrJbwCebgDHsC7kc2ipI7lpprYCJt_PIOyQ
hY6VVuYh2Xbb_wY_8uBykGcwKHT7qfY1LY5MqpSiYUzstGu7nG9Z048ihMfR
h3lOQKirrPQaf8ukNv6cYMpfnLJgUgZWi56tS3erM23xf.QpDV8unAe1sLoe
VvWJh3x5z2MVDqBYsowszbdQe5a1bHO4h8x0hnDy92PY6CZzCQ_vdLEHgXrp
0uzPfZclldyKfdd1M9wdOX0cLoArgOjQsfLCQTvmPELkPlcsPkL9pjDXLaJk
HK0Z.PXUrXhzw0_C1B5rrI085.bm48KU1Gg1Xgtgbvz0dz7NKo5uXrYYhopp
VJm634_4QYYYlHLV6Qj5r9lTcZ6M152nD5bJVhCXLPuOQ30SQWrQ_NUoeyv.
7Z1H1JV6b07Co1w8SGhuY.jtXM2iPuhyusWqP20NW5VUDNAm01C4dopO70h2
3QcTfjSke5Ux2SWxOKUksV3QQy4LGm_xoX4mK_CXQbIKiL0SQ6cr5OFHaNfQ
67ArcI4STKb3nhx4LYsZ69.aFSrJr7VHCPseg7fET00BIde1XJAjPh_layYE
nC5azBG41e8ol9Fol8LkwS3BzRJsqOrgtMVDNuV1CQ_II3EgiuxqM2vzVtfr
TeOQpdwz6Y_mTtZ70AVK6bFlnN3rM0b.DBe8afheSemT.CaQcLumqmtDV837
T6S8HYqALhjreE4h0.tYdF2URuurofvL6r7C3QrwaZgRD9aZ.ey4nZ9R6sZm
Mce3p4E_HbWPzA_bVQEQP5Z94A_IqE0-
Received: from 66.226.81.39 (EHLO mail8139c14.megamailservers.com)
by 10.217.136.215 with SMTPs
(version=TLS1_2 cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256);
Thu, 17 Feb 2022 00:41:49 +0000
Received: from mail81138c14.megamailservers.com (mail81138c14.megamailservers.com [66.226.81.138])
by mail81203c14.megamailservers.com (mail81203c14) with ESMTPS id 788B6923D13A8
for <[b]OMITTED[/b]>; Wed, 16 Feb 2022 19:41:49 -0500 (EST)
Received: from busymta02 (smtp4.cogeco.ca [216.221.81.70])
by mail81138c14.megamailservers.com (mail81138c14) with ESMTP id F293C922B028C
for <[b]OMITTED[/b]>; Wed, 16 Feb 2022 19:41:48 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cogeco.ca; s=email;
t=1645058509; bh=OXix3XQrDiWFWIlWToduRsFiZcaVUwU7xpqHH+MxY0k=;
h=Date:Subject:From:To:From;
b=z3vAyfFIDgN4BzRziN8z4/lBAJR7ZNikTHQ+bmgkOdSifYa2WJdi46dHRCwzcpRqZ
evAU7+nj+JX5IXXHnwaxDgAYlg/YJ72nSrnAmb6UyIbO/qpLH3w5eEw1X944cq8rh2
zsZQQSF9SnP9/4kXYi8hBzaBm0voPERqpu0kaYAM=
Feedback-ID:mondo92@hotmail
MIME-version: 1.0
Content-type: multipart/alternative;
boundary="Boundary_(ID_nPvnQQrqXO6snae71S7lkg)"
Received: from mail8112c14.megamailservers.com ([192.168.200.190])
by busymta02.int.cogeco.net
(Oracle Communications Messaging Server 7u4-27.01(7.0.4.27.0) 64bit (built Aug
30 2012)) with ESMTP id <0R7F004T9B9OQA70@busymta02.int.cogeco.net> for
[b]OMITTED[/b] (ORCPT [b]OMITTED[/b]); Wed,
16 Feb 2022 19:41:48 -0500 (EST)
DMARC-Filter: OpenDMARC Filter v1.3.2 mail8112c14.megamailservers.com
E1F48924845F6
ARC-Seal: i=2; a=rsa-sha256; d=cogeco.ca; s=email; t=1645058508; cv=fail;
b=h6qyJaSTeSxUB0f6LTxO5UDQ71B9iTdqi7wdq8RnLFGyxF0m4OG1Lbvq1LI220UuaSzYkaeJk2XHwi6jNng8DaaUOgRXY4Uk7KLRNgJjfYAWiFzkWqXu0xUdcs12lWj3U6XPHtD8wobZ7yZzR1+4x/+Wh842oc+PqkcS5m3bfcc=
ARC-Message-Signature: i=2; a=rsa-sha256; d=cogeco.ca; s=email; t=1645058508;
c=relaxed/simple; bh=tSrYkvsak0dSYMmlxWNVqFOCPafYNHUt7wucfsMtQJg=;
h=Received-SPF:ARC-Message-Signature:ARC-Authentication-Results:
DKIM-Signature:Received:Received:Date:Subject:Message-ID:From:To:
Content-Type:X-TMN:X-ClientProxiedBy:
X-Microsoft-Original-Message-ID:MIME-Version:
X-MS-Exchange-MessageSentRepresentingType:X-MS-PublicTrafficType:
X-MS-Office365-Filtering-Correlation-Id:X-MS-TrafficTypeDiagnostic:
X-Microsoft-Antispam:X-Microsoft-Antispam-Message-Info:
X-MS-Exchange-AntiSpam-MessageData-ChunkCount:
X-MS-Exchange-AntiSpam-MessageData-0:X-OriginatorOrg:
X-MS-Exchange-CrossTenant-Network-Message-Id:
X-MS-Exchange-CrossTenant-AuthSource: X-MS-Exchange-CrossTenant-AuthAs:
X-MS-Exchange-CrossTenant-OriginalArrivalTime:
X-MS-Exchange-CrossTenant-FromEntityHeader: X-MS-Exchange-CrossTenant-Id:
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg:
X-MS-Exchange-Transport-CrossTenantHeadersStamped;
b=i0uv0+z8YaKisKcbZVyS3F2xIi2rS2tpkMIpWGQXdvAKVzEsYc2ghQtX9lhRnQ4vjkMZXL6nLrk5eCiD5KnHBhm8NSGZmcWbx3dks5wWBvVm8qa8+4faHftbeKm5OU5U6HkFFR7yjsB8n0uIbqFfBI93bOtdBGnef3Ixmtanbis=
ARC-Authentication-Results: i=2; mx.cogeco.ca; arc=fail
smtp.client-ip=40.92.66.62
Received: from EUR01-VE1-obe.outbound.protection.outlook.com
(mail-oln040092066062.outbound.protection.outlook.com [40.92.66.62])
by mail8112c14.megamailservers.com (mail8112c14) with ESMTP id E1F48924845F6
for <[b]OMITTED[/b]>; Wed, 16 Feb 2022 19:41:47 -0500 (EST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=houQ4EYRGAEYqWIR1cXVDc9QvBRZbj4BF6p4pChKFi2vr45bhZM2xmDde3vlLt0UWTKYg8rDNvrVTdHNXQsPNf8QLG7+dmup706FauSLRj/RRf58l7EqygtTsCsbLpFYm9HrPGOh+M38GOyDf634m4M/2zCZIqMSbv2pNZtE14D+CZlff4inje8mFBZnrfzIIAkRX6p89OCQOy4ROj0Nvu5AZTpGXUHXcHmgTjuULOcFd3DKbFeagbcdsbmm4ZmJbMTxdlRf6Zz5igcLF/H83eb+mwMcQ4vvidad+eFqVB9v9J8VXIEYLE4gu+rxGRYYQkO220Od+ElBusgSEEy3zQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=tSrYkvsak0dSYMmlxWNVqFOCPafYNHUt7wucfsMtQJg=;
b=iD8Y7xe2qonE+Y348NYgTKyvEcwOzNTa1mfoJ4P7oPQEvRrG2RkYGdtDrv8Dx+Umv0mnwrpFQMV5tRgZz+cpfmDPiEuyEv1daKt7q5KZ1/FBFVl+M3Uob82kpRVmCDW6yWQTLSIgPJSUCl7LwboV1tXuZihSkC6ddq8vt5rQzPrEPr6oWS8YIOSw/2L1AZYwZH5ZU7b69mC5iLBHQzXK5NBZywRkflNFvU3d6kHpAng3LelvlIQnC13OAtT92kbOLccpZDVk+eC28P5YW1aUwFMG5gPB/YUcCKrE7dYKubq4jkdo41lGMLFt/dEl5SuRTtbw0YTklzjUxWv0YzvWwg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none;
dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hotmail.com;
s=selector1;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=tSrYkvsak0dSYMmlxWNVqFOCPafYNHUt7wucfsMtQJg=;
b=XHRaFN2Ui2bQ2gTFkaUDJ5WNyr4cU5hNQNearTx0enolXdXLpdePITy27NNtaVYQTih4W0Y6OHTzaLc85xSoKXGn398Dehkwv9FHGXp6NaBjPOMzAeoTh5IUo20ZBYthzgAaql420PxIttiVrFAK1MpxYcToYFREcwNyHCweYuEjI62pLvT0X7gB5m77rh8dYtH/nclkdyoL4Cis+RWQcoByEagleicrYQj3gQsfklgzVMNxJHE7lfsucajZ/1zOSUGxw7wm2EXJBqXU7y1qNMBRytdrGNtlcOwUyUBDVVqPDbe3atAy1q6t22+GGwu53FyvoX0wLMdYT76xwThHkg==
Received: from DB7PR07MB4491.eurprd07.prod.outlook.com (2603:10a6:5:37::25)
by PA4PR07MB7232.eurprd07.prod.outlook.com (2603:10a6:102:fb::13)
with Microsoft SMTP Server
(version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)
id 15.20.4995.8; Thu, 17 Feb 2022 00:41:40 +0000
Received: from DB7PR07MB4491.eurprd07.prod.outlook.com
([fe80::fca4:d7ba:c29f:7f1]) by DB7PR07MB4491.eurprd07.prod.outlook.com
([fe80::fca4:d7ba:c29f:7f1%6]) with mapi id 15.20.5017.007; Thu,
17 Feb 2022 00:41:40 +0000
Date: Thu, 17 Feb 2022 01:41:18 +0100
Subject: [97557177] Please correct the delivery address. 2/17/2022-01:41:18
Message-id:
<DB7PR07MB4491DC19B8C867EBF060F8C3A3369@DB7PR07MB4491.eurprd07.prod.outlook.com>
From: =?utf-8?B?ZS1UaWNrZXQgQ0JGOTI4?= <mondo92@hotmail.com>
To: [b]OMITTED[/b]
X-TMN: [BuzCqc/0IVcYZXlFUAd9P7ZWTe5nqATR]
X-ClientProxiedBy: ZR0P278CA0167.CHEP278.PROD.OUTLOOK.COM
(2603:10a6:910:45::15) To DB7PR07MB4491.eurprd07.prod.outlook.com
(2603:10a6:5:37::25)
X-Microsoft-Original-Message-ID:
<7BCF281CCA52678F33-EDF50F2BF085257D5784460D15C6B3B83671D487B-0FD29979639A4A-17C51D1E9EBCF2-65BF326E2DE1@oracle.com>
X-MS-Exchange-MessageSentRepresentingType: 1
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: b2ff55d4-5713-4808-9062-08d9f1ae361f
X-MS-TrafficTypeDiagnostic: PA4PR07MB7232:EE_
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info:
VFgW7qmUqbui/bSHvxmqGodrR1HZBWwn4UCs+BZX3CPZu00DZ+2WbzI7it9xIsSvewrUqCArY8CMKXrTpRiZtimshOhhoYAc05CTpgNJO2x0JDSShWti0F+LEQy0Yr1sCQJR8XB23Ll4nfblPMLJdLLKSaAj3OovlfNoU/3hRrEHPa6v1H1ozNs+8b2ABMG5mTusjmzSMdDYxKY9Jt6KgYoOzn2Z7Y4w4kYTFx7zPm6w2Gzfm+14eryfIXv7GHz8Ksa/Mt3Jd/Kr+WZ/h3QxkCamf3+kB9budySO99CDX3VGjhrsJ/FYlno4sNl2di7sbGDl/o1AcqJvrD7TRtHCmXPVMXEwfa/ITQggDmb4kQoDsVTUXjcUHZYpUmDA5cYUIju/UPvaa1dSiYImNDu4qLz68nJCqmQPdfDHtCL/iQXugdJNFH8zFXHhFNU1zmkX8O+NM5GABOT7PNJecprkhJYX0WF0j14OuKtHpOQ1Mo4rCmJFx4sS4ow4GbwsBuz1vqloMIa8FVfsnjr0rfewu8/kAdlvalwSRxGwUb0Q6oPFv2VZ16zL0blV2QeQbX5aXGKQoJ1mVQ+e2DgK7vi11g==
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0:
=?utf-8?B?MkJZRXpZUVVVSHNIbHVxajZYV3dzUzk4bnVtcTFLUXBSMjFENHpodWVMR0w1?=
=?utf-8?B?V25tQWVXRnB5UW0xdVFnSnBvT1FvNkxPWjBGVmhkY08vSUJPSFdXeG1QRTA1?=
=?utf-8?B?dzF2aTlmTmVudzlES3NFWU5wTUJsaHRRRGU3aWR0MGJsMk0yM0M4NUJuUUpu?=
=?utf-8?B?bTRSOERmVll0amhXSlhkdHpKYzRBL01hK3E5NUtRT3hWdGhVMkNIZmRoWTNO?=
=?utf-8?B?V29iL3lWWW90UHROcW9uREJrZTk2bFJGdEZZZmRwd3hJNnR4Y3kvRU1TYzAw?=
=?utf-8?B?WjlhdUhOdThROW94MDVwb2dLYUVOLzRMK01MM041UVNKTDdGTmlTd3VPbCtK?=
=?utf-8?B?ZGxtenNYcjFZSW1ibEZWVmtVM3o0dVZUbnpTNnNraUNKcW5nQnVFcXJRWVhX?=
=?utf-8?B?b1BXZUh6aTd2SSs0TGE1QUZkcSsrR1BKUEJXUWJDeW0zNkJaaERiSkwxVXl6?=
=?utf-8?B?Z0ZGbHkway9QRXFWaSsxamhVck1ORDZXeWViV2t3SmduVDNDVTVrUGZmak8r?=
=?utf-8?B?MkQvWkdoRExmcktaYWt4UldjRXhwRXk5bTJpellTeDVWY2M2OEIxd3FqRXdX?=
=?utf-8?B?ME9lS00rNkQyaWdjWGV1M29RQzdDc2lVZGt1L3dUeS91eXRqRzBrc3VnTUFm?=
=?utf-8?B?TERvYlZHNmJ0M2NKSFJhTTVEZ09iVGZDYWswZFhFVDl3dlFuQ3VoQzcxVGxV?=
=?utf-8?B?cFI3cXl4TnQxTC9aNHRUODF2Vmc0VktHYlNZYUY1NTBrdkVJdElCMENOazZa?=
=?utf-8?B?c1hjQjFqUm0yQlJidzRpUHZhd0lFc3k3TExvS2dCdmF0dXQ1WjZOZEQxQWV4?=
=?utf-8?B?RXkzUjgrYVYwV3ZUZktqRm5iMHlsRXRxRjZieFVYb2V1SE9PWlJhelBxNDRZ?=
=?utf-8?B?Vm1JOFM1VDh2aTE0cE9scFd6ZmQwU2hHS09EZjIzcnBnajRtbUNBYld5ajd5?=
=?utf-8?B?NzRrQ0dGS3Z1aVNRejVOYXJSTzhHZU5FNW5UWTlSQitxajc5aloydUdkdU9l?=
=?utf-8?B?UmRVSERUSnZkSWN4Z0QvSWZ2YmJ3dDdCWVNMbGd6Mm44Tnlrbi9LbzhEeVAz?=
=?utf-8?B?dFh4d3h6elZOYWxCckhLak1memx1NXJxaER2S2dFT2ZoLzlaTjIza3AwYjlB?=
=?utf-8?B?YkZBOTBaekNPMjVlUWZUeUc4ZXJXUVpIKzZmTFkxVTNpUGJPa2duR2x4Unpy?=
=?utf-8?B?dXN2Y2hRMzJTQXppblMyVXVZbXJ5M0ZFc09yZm5HZzVSTFp0OEJNeW5lYWpW?=
=?utf-8?B?Z2NrcUYvamdXNmtXUGxpT1BKSGdIWnF4ZzRPTlB2Zkp4eWhzdz09?=
X-OriginatorOrg: sct-15-20-4778-2-msonline-outlook-1105a.templateTenant
X-MS-Exchange-CrossTenant-Network-Message-Id:
b2ff55d4-5713-4808-9062-08d9f1ae361f
X-MS-Exchange-CrossTenant-AuthSource: DB7PR07MB4491.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 17 Feb 2022 00:41:18.9433 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg:
00000000-0000-0000-0000-000000000000
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PA4PR07MB7232
X-DA-Pass: W0T0
X-VADE-SPAMSTATE: clean
X-VADE-SPAMSCORE: 0
X-VADE-SPAMCAUSE:
gggruggvucftvghtrhhoucdtuddrgedvvddrjeejgddvhecutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfjqffuvffqrffktedpgffpggdqvedugeenuceurghilhhouhhtmecufedtudenucenucfjughrpeffuffkhffvtgggsegrtddtredttdejnecuhfhrohhmpegvqdfvihgtkhgvthcuveeuhfelvdekuccuoehmohhnugholedvsehhohhtmhgrihhlrdgtohhmqeenucggtffrrghtthgvrhhnpedvgfffveeggedtiefgfefgteelkeektefhgefgudejudfgtdekudduudfhffegheenucffohhmrghinhepjhgrvhhitggrshgrughordgvshenucfkphepgedtrdelvddrieeirdeivddpvdeitdefmedutdgrieemheemfeejmeemvdehnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehinhgvthepgedtrdelvddrieeirdeivddphhgvlhhopefgfgfttdduqdgggfduqdhosggvrdhouhhtsghouhhnugdrphhrohhtvggtthhiohhnrdhouhhtlhhoohhkrdgtohhmpdhmrghilhhfrhhomhepmhhonhguohelvdeshhhothhmrghilhdrtghomhdpnhgspghrtghpthhtohepuddprhgtphhtthhopegrvghsshgvrhihsegtohhgvggtohdrtggr
X-CTCH-Spam: Unknown
X-CTCH-VOD: Unknown
X-CTCH-RefID:
str=0001.0A742F1B.620D99CC.004C,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0
X-Origin-Country: AT
X-VADE-SPAMSTATE: clean
X-VADE-SPAMSCORE: 0
X-VADE-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgedvvddrjeejgddvhecutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfjqffuvffqrffktedpqfgfvfdpgffpggdqvedugeenuceurghilhhouhhtmecufedtudenucenucfjughrpeffuffkhffvsegrtddtlhdttdejnecuhfhrohhmpegvqdfvihgtkhgvthcuveeuhfelvdekuceomhhonhguohelvdeshhhothhmrghilhdrtghomheqnecuggftrfgrthhtvghrnhepueduudfggedukeefteeflefhueeggefgiedvveejvdefueevvdfghfekgfeukeevnecuffhomhgrihhnpehjrghvihgtrghsrgguohdrvghsnecukfhppedvudeirddvvddurdekuddrjedtpddviedtfeemuddtrgeimeehmeefjeemmedvheenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepihhnvghtpedvudeirddvvddurdekuddrjedtpdhhvghlohepsghushihmhhtrgdtvddpmhgrihhlfhhrohhmpehmohhnugholedvsehhohhtmhgrihhlrdgtohhmpdhnsggprhgtphhtthhopedupdhrtghpthhtoheprghnghgvlhgrvghsshgvrhihseihrghhohhordgtrg
X-CTCH-RefID: str=0001.0A742F1E.620D99CD.0023,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0
X-CTCH-VOD: Unknown
X-CTCH-Spam: Unknown
X-CTCH-Score: 0.000
X-CTCH-Rules:
X-CTCH-Flags: 0
X-CTCH-ScoreCust: 0.000
X-Origin-Country: CA
Content-Length: 968


--Boundary_(ID_nPvnQQrqXO6snae71S7lkg)
Content-type: text/plain; CHARSET=US-ASCII
Content-transfer-encoding: 7BIT


--Boundary_(ID_nPvnQQrqXO6snae71S7lkg)
Content-type: text/html; CHARSET=US-ASCII
Content-transfer-encoding: 7BIT

<meta http-equiv="Content-Type" content="text/html; charset=utf-8"><p style="display: none;">9366615440875803071516364449660263770974696875 </p>  <p>
Dear Customer [b]OMITTED[/b] , [392876]
<p style="display: none;">822217430655454845541 </p>  <p>
Today 2/17/2022-01:41:18  we couldn't find you at the destination. AWB:[20847628620583]
<p style="display: none;">9871469488379016392415367233594558824 </p>  <p>
Please correct the delivery address: [01242257]
<p style="display: none;">826766391011041200493929906347258425673739076089990259078787832 </p>  <p>
<a href="https://javicasado.es/it.html?101736477/OTUwNDYzMTQ2MzY4NjM1">Schedules Now</a>
<p style="display: none;">58298 </p>  <p>

--Boundary_(ID_nPvnQQrqXO6snae71S7lkg)--


Screenshot of the Phishing attempt:

The email:


The website if you click the link in the email: