From: Administrator [mailto:firstname.lastname@example.org]In this case, the link bounces through two hacked legitimate sites to end up at [donotclick]5.chinottoneri.com/links/landing-philosophy_dry-suspende.php hosted on 18.104.22.168 (Fortress ITX, US). VirusTotal detections are pretty low. I suspect that there are many other malicious sites on this IP, blocking it would be wise.
Sent: 19 November 2012 14:50
Subject: To All Employee's - Important Address UPDATE
To All Employee's:
The end of the year is approaching and we want to ensure every employee receives their W-1 to the correct address.
Verify that the address is correct - https://local.victimdomain.com/details.aspx?id=[redacted]
If changes need to be made, contact HR at https://hr.victimdomain.com/update.aspx?id=[redacted].