Is this spam?

Craig234

Lifer
May 1, 2006
38,548
350
126
I got the usual 'suspicious activity, verify your account' phishing e-mail. But this one had the green 'trusted sender' banner on it I haven't seen on spam before.

But then again, why couldn't they copy that banner on spam?

So I looked at the headers and it seems more legit than spam usually. I think it's still spam, but what's the indication to check for?

Received: from SN1NAM04HT204.eop-NAM04.prod.protection.outlook.com
(10.160.24.39) by DM5PR2001MB1737.namprd20.prod.outlook.com with HTTPS via
BLUPR07CA084.NAMPRD07.PROD.OUTLOOK.COM; Wed, 22 Feb 2017 05:25:27 +0000
Received: from SN1NAM04FT046.eop-NAM04.prod.protection.outlook.com
(10.152.88.58) by SN1NAM04HT204.eop-NAM04.prod.protection.outlook.com
(10.152.89.69) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.919.10; Wed, 22
Feb 2017 05:25:26 +0000
Authentication-Results: spf=pass (sender IP is 65.54.190.19)
smtp.mailfrom=account.microsoft.com; hotmail.com; dkim=none (message not
signed) header.d=none;hotmail.com; dmarc=pass action=none
header.from=account.microsoft.com;
Received-SPF: Pass (protection.outlook.com: domain of account.microsoft.com
designates 65.54.190.19 as permitted sender) receiver=protection.outlook.com;
client-ip=65.54.190.19; helo= BAY004-OMC1S8.hotmail.com;
Received: from BAY004-MC3F52.hotmail.com (10.152.88.54) by
SN1NAM04FT046.mail.protection.outlook.com (10.152.89.118) with Microsoft SMTP
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id
15.1.919.10 via Frontend Transport; Wed, 22 Feb 2017 05:25:26 +0000
X-IncomingTopHeaderMarker: OriginalChecksum:EC3F2CA9BBD223FB154B6BCF0C5973E9E91B5CD0E7187C787ABF4F8559DE4F7E;UpperCasedChecksum:50F54F307397634D4A0FB5689D7FCFEDE9A2934525F0ABCF8D30C88BC85A0015;SizeAsReceived:1359;Count:16
Received: from BAY004-OMC1S8.hotmail.com ([65.54.190.19]) by BAY004-MC3F52.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.23143);
Tue, 21 Feb 2017 21:24:35 -0800
Received: from BN3SCH030020321 ([65.54.190.59]) by BAY004-OMC1S8.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.23008);
Tue, 21 Feb 2017 21:24:35 -0800
X-Message-Routing: sKFde7CS5BHygFZaC4gFZWeHmOM+Rjf1iOmv8meDbQqeD+9kHFgbAflrz5UYy6v/Ov/vRliTx0hzi7ScTgwYCoH5DCukffJ5UA9VPHW6w/UPPsBp46jf+a89V725Y4BfAGQlMYGdqAyr+BBsENUNu6hm04g==
Return-Path: account-security-noreply@account.microsoft.com
From: Microsoft account team <account-security-noreply@account.microsoft.com>
To: <>
Date: Tue, 21 Feb 2017 21:24:34 -0800
Subject: Microsoft account unusual sign-in activity
X-MSAPipeline: MessageDispatcher
Message-ID: <3JG2AW2TL0U4.ZUV66LB2RSDC2@BN3SCH030020321>
X-MSAMetaData: =?us-ascii?q?DWnWzvMbo5mqsC9rvsm4wDCYlNcJLDJXZSI4CfKfTmtnxQvjJa!Yl4Z*hr!J2?=
=?us-ascii?q?sAH!hwmVHaFfoR5tZn*OWJM3vhO*A5yfvSTWct0DyhXHxmtc68RgNc2tRxwYs?=
=?us-ascii?q?egSWe7rw$$?=
Content-Type: multipart/alternative; boundary="=-2XHQkboavEX/HhSEvfLa1g=="
X-OriginalArrivalTime: 22 Feb 2017 05:24:35.0345 (UTC) FILETIME=[F4619010:01D28CCB]
X-IncomingHeaderCount: 16
X-MS-Exchange-Organization-Network-Message-Id: b48c916f-53af-4010-5be1-08d45ae3355e
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa:0
X-MS-Exchange-Organization-MessageDirectionality: Incoming
CMM-sender-ip: 65.54.190.19
CMM-sending-ip: 65.54.190.19
CMM-Authentication-Results: hotmail.com; spf=pass (sender IP is 65.54.190.19;
identity alignment result is pass and alignment mode is relaxed)
smtp.mailfrom=account-security-noreply@account.microsoft.com; dkim=none
(identity alignment result is pass and alignment mode is relaxed)
header.d=account.microsoft.com; x-hmca=pass
header.id=account-security-noreply@account.microsoft.com
CMM-X-SID-PRA: account-security-noreply@account.microsoft.com
CMM-X-AUTH-Result: PASS
CMM-X-SID-Result: PASS
CMM-X-Message-Status: n:n
 

corkyg

Elite Member | Peripherals
Super Moderator
Mar 4, 2000
27,370
239
106
Difficult to say for sure. Recently a new source has opened up based on Outlook and Word. It is onmicrosoft.com. I consider anything linked to that URL to be spam - some of it outrageous.
 

corkyg

Elite Member | Peripherals
Super Moderator
Mar 4, 2000
27,370
239
106
If you don't want it, treat it as spam. I use Mailwasher Pro and see all email before any download takes place. Most of the time I zap 9 and download 1. No mail comes to my PC without being inspected at the POP server.
 

Elixer

Lifer
May 7, 2002
10,371
762
126
When hotmail/outlook send those kinds of e-mails, on their site, they will list the IPs of the last X number of logins.
Assuming you aren't using a VPN, then, you can see if those IPs match your IP range.

If you have authenticator turned on, (and you should) you can ignore those kind of mails.
 

Mike64

Platinum Member
Apr 22, 2011
2,108
101
91
It's concerning if there's nothing clear in the spam to confirm it is.
I guess it's a little disturbing from a "technical" standpoint, but no matter how sophisticated a phishing email might look, if you simply make a habit of never navigating to a sensitive account from an emailed link, it won't be a problem. If you get what seems like it might be legit account warning/notice, go to the relevant website yourself from a bookmark or typed URL and log in to check, or if you have any reason to think your their system or your computer/Internet account could have been compromised, call them directly (at a verified phone number - obviously?) and ask them directly. If a company sends you an email warning, they'll have a record of it or at least the problem...
 

Craig234

Lifer
May 1, 2006
38,548
350
126
I guess it's a little disturbing from a "technical" standpoint, but no matter how sophisticated a phishing email might look, if you simply make a habit of never navigating to a sensitive account from an emailed link, it won't be a problem. If you get what seems like it might be legit account warning/notice, go to the relevant website yourself from a bookmark or typed URL and log in to check, or if you have any reason to think your their system or your computer/Internet account could have been compromised, call them directly (at a verified phone number - obviously?) and ask them directly. If a company sends you an email warning, they'll have a record of it or at least the problem...

Right, this is less a concern about my clicking the link than the topic of how to confirm from the e-mail whether it's spam. Some that clearly appear to be spam have that nice little green 'trusted sender' banner at the top that I think might fool many people and I'm not sure how that wouldn't be easy to fake, unlike the little padlock in the URL box.
 

Mike64

Platinum Member
Apr 22, 2011
2,108
101
91
Right, this is less a concern about my clicking the link than the topic of how to confirm from the e-mail whether it's spam. Some that clearly appear to be spam have that nice little green 'trusted sender' banner at the top that I think might fool many people and I'm not sure how that wouldn't be easy to fake, unlike the little padlock in the URL box.
Well, just looking at the "face" of the emails, I've seen a couple of phishing emails well-crafted enough to actually surprise me. But so far, anyway, the "from" addressing/routing in the full header has always been a dead giveaway. Ultimately, I don't know that there's any practical way to actually guarantee that any email is legitimate from within the email/IP protocol schemes themselves. And I'm not at all sure that stuff like "trusted sender" banners is actually all that helpful, unless it were a function of the email reader and appears somewhere outside the email "container" altogether (analogous to the the https padlock icon you mention), since it could just end up lulling people into a false sense of security, especially after a given "authentication" method has been around for a while and nefarious hackers have had plenty of time to find its weaknesses (and of course there are always weaknesses...) Ultimately, pretty much anything in the "readily visible" portion of the email itself can be spoofed one way or another.