From: MICHAEL T. DIVER [michael -at- lawfirmofoklahoma.com]The telephone number and also potentially the email address are genuine, but they are certainly not being sent from this law firm.
Date: 23 November 2016 at 15:24
Subject: RE:RE: financial records subpoena
See you in court !!!
Subpoena for server
Thank you,
MICHAEL T. DIVER
T (405) 608-4990
F (405) 608-4991
The link in the email goes to a legitimate but hacked Vietnamese site at techsmart.vn/backup2/get.php?id=[base64-encoded-part] (the last bit is a Base 64 representation of the victim's email address).
In testing the payload site was down, but previous emails of this type have lead to the Vawtrak banking trojan.