From: billing.address.updates@ADP.com [mailto:billing.address.updates@ADP.com]Most of the ones that I have seen are malformed and instead of a link they just say <html> which is one reason that it is getting through the spam filter. I have seen one live one, leading to [donotclick]www.bingemann-buerosysteme.de/services/invoice1211.php
Sent: 12 November 2014 16:28
Subject: ADP Past Due Invoice#39911564
Your ADP past due invoice is ready for your review at ADP Online Invoice Management .
If you have any questions regarding this invoice, please contact your ADP service team at the number provided on the invoice for assistance.
Please note that your bank account will be debited within one banking business day for the amount(s) shown on the invoice.
Review your ADP past due invoice here.
Important: Please do not respond to this message. It comes from an unattended mailbox.
This downloads a ZIP file invoice1211_pdf28.zip which in turn contains a malicious executable invoice1211_pdf.exe which has a VirusTotal detection rate of 6/54.
It then contacts the following URLs according to the Malwr report: