Date: Fri, 25 Jul 2014 17:32:38 +0800 [05:32:38 EDT]Attached to the message is an archive invoice copy.zip which contains a folder invoice copy in which there is a malicious file invoice copy.exe which has a VirusTotal detection rate of 9/51. The CAMAS report shows that the malware downloads components from the following locations:
From: "J.Parker" [firstname.lastname@example.org]
Subject: invoice 0625859 July
Kindly open to see export License and payment invoice attached, meanwhile we sent the balance payment yesterday.
Please confirm if it has settled in your account or you can call if there is any problem.
Tiffany & Co.
Those sites are similar to the one found in the recent "Birmingham Mail" spam run. I recommend that you block the following domains on your network: