From: Accounts [firstname.lastname@example.org]
Date: 7 September 2015 at 11:55
Subject: Credit Note CN-60938 from Stilwell Financial Inc for victimdomain.com (0178)
To download your credit note CN-60938 for 401.04 GBP please follow the link below : https://get.xerofiles.com/[snip]
This has been allocated against invoice number
If you have any questions, please let us know.
Stilwell Financial Inc
In the only sample I saw, the download location for a file at xerofiles.com which came up with a 403 error. This domain belongs to an accounting service called Xero, it is unclear if they were actually hosting the malware or if there is some error in the spam email itself.
Somewhat interestingly, the bad guys have attempted to forge the mail headers to make it looks like it comes from Xero itself.
Received: from 22.214.171.124.static.ttnet.com.tr (unknown [126.96.36.199])The fake parts of the headers are highlighted. The actual sending IP is 188.8.131.52 in Turkey. I don't know what the payload is in this case as the download location doesn't work, it will most likely be some sort of banking trojan.
by [redacted] (Postfix) with ESMTP id 74F50400BE;
Mon, 7 Sep 2015 11:59:12 +0100 (BST)
Received: from mail2.go.xero.com (184.108.40.206) by
GCN5B9ZDBKTFX.mail.protection.outlook.com (10.997.33.92) with Microsoft SMTP
Server id 05.9.975.7 via Frontend Transport; Mon, 7 Sep 2015 12:55:16 +0200
From: Accounts <email@example.com>
Date: Mon, 7 Sep 2015 12:55:16 +0200
Subject: Credit Note CN-60938 from Stilwell Financial Inc for [redacted] (0178)
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
X-Mailer: aspNetEmail ver 220.127.116.11