Sounds like a fair amount of caution is warranted. Just talked to an Office365 hosted email customer. One of their folks clicked on a PDF from a legitimate vendor of theirs with a pretty legitimate looking PDF labeled attachment. It changed a few of their email addresses to auto forward to a gmail account. Easy to fix, but took them awhile to figure out why those accounts weren't getting email.
Regards, David Coudron -----Original Message----- From: AF <af-boun...@af.afmug.com> On Behalf Of Nate Burke Sent: Friday, September 18, 2020 1:56 PM To: AnimalFarm Microwave Users Group <af@af.afmug.com> Subject: Re: [AFMUG] FBI Virus? Googled the number and email address. no results. On 9/18/2020 1:55 PM, Chuck McCown wrote: > I would call the number, at least google the number. > > Sent from my iPhone > >> On Sep 18, 2020, at 12:51 PM, Nate Burke <n...@blastcomm.com> wrote: >> >> I got this message to the INFO mailbox of a company we acquired a year ago. >> Everything about it says that it's spam, but the headers look legit. >> Although the 153.31.119.142 IP address does not exist in the ARIN whois. >> BGP.he.net says that it's part of a /17 assigned to the FBI. It has an >> attached PDF that I have not yet opened. (file name SBP634366-WOW125412.pdf) >> I can't imagine this is anything other than Spam/virus? Is it possible >> this is how the FBI Actually sends out things? >> >> What's the best way to open a suspect PDF File? >> >> >> _____________________ >> >> *** CHILD EXPLOITATION *** >> >> Good afternoon - please review the attached administrative subpoena and >> proceed accordingly - thank you and have a great weekend! >> >> AS Jennifer L. Isom >> FBI Chicago >> Violent Crimes Against Children >> 312-829-5835 >> >> >> --------------------------------------------- >> Email Headers: >> Received: from mx-east-ic.fbi.gov ([153.31.119.142]) >> Received: from unknown (HELO HQV2-UEMBX-401.fbi.gov) ([10.93.22.26]) >> by mx-east-ic.fbi.gov with ESMTP; 18 Sep 2020 14:21:58 -0400 >> Received: from hqv2-uembx-402.FBI.GOV (10.90.70.12) by >> hqv2-uembx-401.FBI.GOV >> (10.90.70.11) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Fri, >> 18 Sep >> 2020 14:21:57 -0400 >> Received: from USG02-CY1-obe.outbound.protection.office365.us >> (10.90.70.8) by hqv2-uembx-402.FBI.GOV (10.90.70.12) with Microsoft >> SMTP Server (TLS) id >> 15.0.1497.2 via Frontend Transport; Fri, 18 Sep 2020 14:21:57 -0400 >> >> ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass >> smtp.mailfrom=fbi.gov; dmarc=pass action=none header.from=fbi.gov; >> dkim=pass header.d=fbi.gov; arc=none >> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; >> d=dojfbi.onmicrosoft.com; s=selector1-dojfbi-onmicrosoft-com; >> h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchang >> e-SenderADCheck; bh=vBv3/mLV7bc3i7PO8fotIxOyxMy562h5qqwbW3309QI=; >> b=UqGJLZtTRQr6f1KaIJq/IjMFFc5skaGN4rQQMHgHWUAe4pw963vIjTILv/cQHH1CToF >> XgXUu980qar5uXnG7TKH5fVRIoVuWxu4VhWEEXZ8ePAQMkWXYdfKuR2NGS3cC3hVoxL6i >> Hi/kXd5CKwbXopVnfiPgDuOFB84Rof0LTHk= >> Received: from CY1P110MB0551.NAMP110.PROD.OUTLOOK.COM >> (2001:489a:200:404::14) by CY1P110MB0567.NAMP110.PROD.OUTLOOK.COM >> (2001:489a:200:404::18) with Microsoft SMTP Server (version=TLS1_2, >> cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3391.17; Fri, >> 18 Sep >> 2020 18:21:54 +0000 >> Received: from CY1P110MB0551.NAMP110.PROD.OUTLOOK.COM >> ([fe80::75b8:922a:1a45:32c0]) by >> CY1P110MB0551.NAMP110.PROD.OUTLOOK.COM >> ([fe80::75b8:922a:1a45:32c0%10]) with mapi id 15.20.3391.017; Fri, 18 >> Sep >> 2020 18:21:54 +0000 >> >> >> >> -- >> AF mailing list >> AF@af.afmug.com >> http://af.afmug.com/mailman/listinfo/af_af.afmug.com -- AF mailing list AF@af.afmug.com http://af.afmug.com/mailman/listinfo/af_af.afmug.com -- AF mailing list AF@af.afmug.com http://af.afmug.com/mailman/listinfo/af_af.afmug.com
