Tag: phishing

I received what I believed was cleverly designed phishing attempt in my inbox.

My thought was to examine it to determine a little more detail about it and see what AI thought of it. The “———-” characters are something I tend to use as delineators when inserting these long streams of data in as part of my prompt. My experience with all of the AI systems I use has been that they are understood as delineation strings.

I discovered that email addresses were automatically wiped from the material as displayed in this site by a great anti-spam plugin called CleanTalk. I highly recommend CleanTalk and it can be checked out here using our affiliate link. This helps support us as well.

This was my output after feeding all the info I had to Gemini.

My Prompt

I have gotten this message in my inbox. I am leery of it because it has an attachment. Here is the text of the message:

----------
Delivery delayed:Portal document ready statement available

Mail Delivery System<Ma***********@*****et.cz>
​zo*******@***oo.com​
This message was created automatically by mail delivery software.
A message that you sent has not yet been delivered to one or more of its
recipients after more than 48 hours on the queue on smtp.starnet.cz.
The message identifier is:     1usP7V-00EFty-2r
The subject of the message is: Portal document ready statement available
The date of the message is:    Sat, 30 Aug 2025 19:12:06 +0200
The address to which the message has not yet been delivered is:
zo*******@***oo.com
host mta6.am0.yahoodns.net [98.136.96.91]
Delay reason: SMTP error from remote mail server after pipelined MAIL FROM:<we******@**********ks.com> SIZE=5077:
421 4.7.0 [TSS04] Messages from 92.62.225.36 temporarily deferred due to unexpected volume or user complaints - 4.16.55.1; see https://postmaster.yahooinc.com/error-codes
SMTP Error Codes
SMTP Error Codes
postmaster.yahooinc.com
No action is required on your part. Delivery attempts will continue for
some time, and this warning may be repeated at intervals if the message
remains undelivered. Eventually the mail delivery software will give up,
and when that happens, the message will be returned to you.
----------

And here is the “View Message Details” from my Outlook webmail, I notice that someplace it seems to indicate it was received from we******@**********ks.com which I believe is not really possible since we******@**********ks.com is an alias to our su*****@**********ks.com email address:

----------
Message Details
Received: from SJ5PPF92ECB6678.namprd11.prod.outlook.com
(2603:10b6:a0f:fc02::846) by PH8PR11MB6803.namprd11.prod.outlook.com with
HTTPS; Mon, 1 Sep 2025 19:11:46 +0000
Received: from MN2PR15CA0041.namprd15.prod.outlook.com (2603:10b6:208:237::10)
by SJ5PPF92ECB6678.namprd11.prod.outlook.com (2603:10b6:a0f:fc02::846) with
Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9073.25; Mon, 1 Sep
2025 19:11:44 +0000
Received: from BN3PEPF0000B070.namprd21.prod.outlook.com
(2603:10b6:208:237:cafe::c5) by MN2PR15CA0041.outlook.office365.com
(2603:10b6:208:237::10) with Microsoft SMTP Server (version=TLS1_3,
cipher=TLS_AES_256_GCM_SHA384) id 15.20.9073.27 via Frontend Transport; Mon,
1 Sep 2025 19:11:44 +0000
Authentication-Results: spf=none (sender IP is 92.62.225.36)
smtp.helo=smtp.starnet.cz; dkim=none (message not signed)
header.d=none;dmarc=fail action=none header.from=starnet.cz;compauth=pass
reason=105
Received-SPF: None (protection.outlook.com: smtp.starnet.cz does not designate
permitted sender hosts)
Received: from smtp.starnet.cz (92.62.225.36) by
BN3PEPF0000B070.mail.protection.outlook.com (10.167.243.75) with Microsoft
SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.9115.0
via Frontend Transport; Mon, 1 Sep 2025 19:11:43 +0000
Received: from Debian-exim by smtp.starnet.cz with local (Exim 4.96)
id 1ut9wD-005kL4-08
for we******@**********ks.com;
Mon, 01 Sep 2025 21:11:33 +0200
Auto-Submitted: auto-replied
From: Mail Delivery System <Ma***********@*****et.cz>
To: we******@**********ks.com
References: <68**********************************@***co.net>
Content-Type: multipart/report; report-type=delivery-status; boundary=1756753893-eximdsn-642087814
MIME-Version: 1.0
Subject: Warning: message 1usP7V-00EFty-2r delayed 48 hours
Message-Id: <E1***************@**********et.cz>
Date: Mon, 01 Sep 2025 21:11:33 +0200
Return-Path: <>
X-MS-Exchange-Organization-ExpirationStartTime: 01 Sep 2025 19:11:43.7145
(UTC)
X-MS-Exchange-Organization-ExpirationStartTimeReason: OriginalSubmit
X-MS-Exchange-Organization-ExpirationInterval: 1:00:00:00.0000000
X-MS-Exchange-Organization-ExpirationIntervalReason: OriginalSubmit
X-MS-Exchange-Organization-Network-Message-Id:
e54132a9-871b-4e6e-8961-08dde98b6398
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 87733afe-0d9d-4701-bcd1-865bd5674a0b:0
X-MS-Exchange-Organization-MessageDirectionality: Incoming
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic:
BN3PEPF0000B070:EE_|SJ5PPF92ECB6678:EE_|PH8PR11MB6803:EE_
X-MS-Exchange-Organization-AuthSource:
BN3PEPF0000B070.namprd21.prod.outlook.com
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Office365-Filtering-Correlation-Id: e54132a9-871b-4e6e-8961-08dde98b6398
X-MS-Exchange-Organization-SCL: 1
X-Microsoft-Antispam:
BCL:0;ARA:13230040|1930700014|12012899012|4013099003|4053099003;
X-Forefront-Antispam-Report:
CIP:92.62.225.36;CTRY:CZ;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:smtp.starnet.cz;PTR:smtp.starnet.cz;CAT:NONE;SFS:(13230040)(1930700014)(12012899012)(4013099003)(4053099003);DIR:INB;
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 01 Sep 2025 19:11:43.4764
(UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: e54132a9-871b-4e6e-8961-08dde98b6398
X-MS-Exchange-CrossTenant-Id: 87733afe-0d9d-4701-bcd1-865bd5674a0b
X-MS-Exchange-CrossTenant-AuthSource:
BN3PEPF0000B070.namprd21.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ5PPF92ECB6678
X-MS-Exchange-Transport-EndToEndLatency: 00:00:02.7834666
X-MS-Exchange-Processed-By-BccFoldering: 15.20.9052.000
X-Microsoft-Antispam-Mailbox-Delivery:
ucf:0;jmr:0;auth:0;dest:I;ENG:(910005)(944506478)(944626604)(4710137)(4713098)(4999163)(920097)(930097)(140003);
X-Microsoft-Antispam-Message-Info:
=?us-ascii?Q?5OVkyT0/RNWSaYutxJj077THwB9/PdRBuOcypuY4fdwzhHTozjfQsr21QcQe?=
=?us-ascii?Q?NlkVZwdxRcwD1qP0Cj/LeQciqNNJg0lbR1sV7ZBL/+hbiJydtx6tb7UP4HB4?=
=?us-ascii?Q?vSopbVg/FAl3IcJNTyrT7w4+nDXRr2JrSf5a5zQfIxcuBGLkTkVd+Be/t6x/?=
=?us-ascii?Q?BmAzftsRcoYhZTaS3zJP7FvLEP39lahyS74sRNEJdUA9XXRJ7OFA3W+9D4xB?=
=?us-ascii?Q?SNBfJ62DkBWkHJhU8cbCiXwG2kAQ851fIRm149UL+MMCyKNTx2IfSuiuPCIE?=
=?us-ascii?Q?8qKQ30lLORUEF6L762+5GncbnOWlY+pQB4umU6UVz0doun01sgNmJP7557rz?=
=?us-ascii?Q?Cc3nJbQLVFXR6QoHEAlwF8OLIB25x2MMCx1izo/uMfQtatHQysWnCrHUIROP?=
=?us-ascii?Q?Plk3eMOUGo79Q8xffqXNwC1bJyxoSXGYEutfYgohJ1eNcl3kbB7TaDQ0GgFL?=
=?us-ascii?Q?yrLREXENlpXKZ8ZrliD/5duDJuU2nkgxkry4f9icgwG/3oWTzfK+IIyGwPYu?=
=?us-ascii?Q?6HJyZu0T8Q5C+odyVNcnAw2b92FEMQZgDcIL786i4Trc5EpDUXdE40fuoJjr?=
=?us-ascii?Q?WAMg6ZAIXCE6TIyRJ2NcY/YIrE7WN3NgKgIbjYsDRYxjHaTPyyPYZltgWCIL?=
=?us-ascii?Q?Tvk/7Ci8O2vzPv1gnblZwAujV8tjGKtELysMLpQwfpD5Yf0vXi3hmsAWFSJd?=
=?us-ascii?Q?Qm++Vm1ziaH4pshpmDh+OqFPwE84vQslZDL45IudrIDSx+ZghKOdgtUUWPVQ?=
=?us-ascii?Q?cBHE2ymfPjToTG9n8bxksikVQi17JzMchnOb2iPivFeCEg5jwe3K6SOP6rM3?=
=?us-ascii?Q?ZTbrP/2Q2CPNA0TCxOGpn82N68BnXOzrIXIxjX2w9P0LGELPfzB9fiwmBFvP?=
=?us-ascii?Q?D8Y8I/fufUftBp2T/vPlU/Rpt8CyGWZXVv46lyr6AQjCJsrhTMEfVALhENFp?=
=?us-ascii?Q?/cnRi/5y2QQ5zcUH+vpl+j2LgKy0scYUdunfLt2lMgtcm9VCBs3aD7Q+fs7R?=
=?us-ascii?Q?STDliRDKLIFRbc/w4UWr0R5k2YtYoCiPfGb9dLPT4rW6b+q+mBjyBdH6ZcNm?=
=?us-ascii?Q?M5mI7k/OeyESkiU7EqcqlNVUp5WXtKwYC4XFBMPpa/G/vw0g3Lf5s4Dh2x1h?=
=?us-ascii?Q?pbJSnlU47l5JfYaUVOFtd2dtIb/P/MxAadCdjK4+VNeb+GE24nPQOodYuKq7?=
=?us-ascii?Q?b7aQj4QiI5GHLZtigvUBPjaVLihk9DgzWgtDU0uD0sPPcUeYS0lqpNn/pXO3?=
=?us-ascii?Q?uoVfZZEW+WbUkX4p6Hbc2DOdNhf7JolbHhutiV/af6HG1JP6XyRpPql9ktqY?=
=?us-ascii?Q?UjPctaNohn6SnD/eTOMc5h940DpnSxmK8Sit6zzjkskO5Oh2loHXzLZx9K6h?=
=?us-ascii?Q?3Z7ALPCOmJYZ5/8HTfffnmpTmJqtA4b59A7wzB1ioi5eyzGz8XWUpDTUG9I7?=
=?us-ascii?Q?o7FXtzDdnizQM3Gp89GOYKqwL5YjUM2SGAWWAD6fEUYc1m76yNNWW208cPiU?=
=?us-ascii?Q?HqT7SYDu4UHplLHTdM+hogeWNzkzlPWcbescWpfa7mI2F1SA1B3+lTwmqFr8?=
=?us-ascii?Q?h0jrZ7+2LlOIrY73TcJLlx3KgpYx6aHVZN1vw2x1sYnVU62Zs9mCE+evJuBp?=
=?us-ascii?Q?ycrgY//qeKOctC4R6uBsDjKiLQhKnGtvw0+3+IHqt1X2i9BnWv/aNl86oJoE?=
=?us-ascii?Q?w5SEqnkMAXwQUcEnghREl9BbldfT2Wwy2G9wUlOm9MBVpmr1viO99rfSZnTk?=
=?us-ascii?Q?yaft+ZphGO7Ic6DRgRudljAnEIJ0z5+3cs4nn8zfYh/FKCOIkFFaVDG2e6xg?=
=?us-ascii?Q?livk6Ljgh0MlfcOLHID6g+whbvaukhKyFnYBdxB83kRjXIdGFfXmd9/zM9LC?=
=?us-ascii?Q?vCVxAJW2xzC64Hs2uZn+axHU21jD8XWeEt2PhD0io1RoUWmU3RtT4POX7NoX?=
=?us-ascii?Q?ONSD83WNfBTEfjDgSvhlAc75Stcu13bvB5y2v5ykPPvusjr6Nk87pUYB+IGL?=
=?us-ascii?Q?As7XH/WcIK7f88X6KWbjKbdTRuTgoBKMpGmTqRdC9JAAVJe1Ryn8r0uDzGCb?=
=?us-ascii?Q?bv0UMzmC?=
----------

Gemini’s Response

That email is phishing, and you should delete it immediately. The attachment is very likely malicious. Although the email seems like a legitimate “mail delivery system” message, several red flags in the headers you provided confirm it is a forgery.

Why the Email is a Phishing Scam

The email is a scam designed to deceive you into opening a malicious attachment. Here’s a breakdown of the clues:

• Forged Sender and Recipient: The email is a forged bounce message. A bounce message is an automated notification from a mail server when it cannot deliver an email. The sender, Ma***********@*****et.cz, is a real type of automated sender, but it’s being spoofed. The message claims to be a delivery failure for an email you sent to zo*******@***oo.com, but you likely never sent an email to that address. Attackers often use real, known email formats to trick recipients.
• Mismatched Information: Your email address, we******@**********ks.com, is in the “To” field of the email, but the body of the message says the failed delivery was to zo*******@***oo.com. A legitimate bounce message would show the delivery failure for the email address you originally tried to send to, not a random, unrelated one.
• Suspicious Sender Domain: The email originates from smtp.starnet.cz, which is a legitimate Czech internet service provider. However, the message claims it’s a delivery failure for an email supposedly sent from we******@**********ks.com. It’s highly unlikely that your company’s email server would use a third-party server in a different country to send mail. This is a common tactic to hide the true origin.
• The “websites@” Email Alias: As you suspected, the websites@ email address is a local alias for support@. A genuine email would be addressed to your actual mailbox, not just the alias, unless the original sender was explicitly addressing the alias. The spoofer likely found your address on the web and guessed at the alias.
• Inconsistent Return Path: The Return-Path header is <>. A genuine mail delivery system email would have the same return path as the sender, which is Ma***********@*****et.cz. An empty return path is a common sign of a forged message.

The Danger of the Attachment

This type of phishing attack is a classic delivery method for malware. The goal is to make you believe there’s a problem with a document you supposedly sent. To “fix” the issue or view the “statement,” you’d be prompted to open the attached file. That file will almost certainly contain a virus, a trojan, or some other type of malicious software. It could be a ransomware executable that locks your files, a keylogger to steal your passwords, or a botnet client to turn your computer into a spam zombie.

What to Do Now

1. Do not open the attachment under any circumstances.
2. Delete the email immediately from your inbox and your deleted items folder.
3. Do not reply to the email. Replying confirms your address is active.
4. If your organization has an IT department, you should forward the email to them so they can be aware of the scam and potentially block the sender. You can also report it to your email provider.