I got the usual 'suspicious activity, verify your account' phishing e-mail. But this one had the green 'trusted sender' banner on it I haven't seen on spam before.
But then again, why couldn't they copy that banner on spam?
So I looked at the headers and it seems more legit than spam usually. I think it's still spam, but what's the indication to check for?
Received: from SN1NAM04HT204.eop-NAM04.prod.protection.outlook.com
(10.160.24.39) by DM5PR2001MB1737.namprd20.prod.outlook.com with HTTPS via
BLUPR07CA084.NAMPRD07.PROD.OUTLOOK.COM; Wed, 22 Feb 2017 05:25:27 +0000
Received: from SN1NAM04FT046.eop-NAM04.prod.protection.outlook.com
(10.152.88.58) by SN1NAM04HT204.eop-NAM04.prod.protection.outlook.com
(10.152.89.69) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.919.10; Wed, 22
Feb 2017 05:25:26 +0000
Authentication-Results: spf=pass (sender IP is 65.54.190.19)
smtp.mailfrom=account.microsoft.com; hotmail.com; dkim=none (message not
signed) header.d=none;hotmail.com; dmarc=pass action=none
header.from=account.microsoft.com;
Received-SPF: Pass (protection.outlook.com: domain of account.microsoft.com
designates 65.54.190.19 as permitted sender) receiver=protection.outlook.com;
client-ip=65.54.190.19; helo= BAY004-OMC1S8.hotmail.com;
Received: from BAY004-MC3F52.hotmail.com (10.152.88.54) by
SN1NAM04FT046.mail.protection.outlook.com (10.152.89.118) with Microsoft SMTP
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id
15.1.919.10 via Frontend Transport; Wed, 22 Feb 2017 05:25:26 +0000
X-IncomingTopHeaderMarker: OriginalChecksum:EC3F2CA9BBD223FB154B6BCF0C5973E9E91B5CD0E7187C787ABF4F8559DE4F7E;UpperCasedChecksum:50F54F307397634D4A0FB5689D7FCFEDE9A2934525F0ABCF8D30C88BC85A0015;SizeAsReceived:1359;Count:16
Received: from BAY004-OMC1S8.hotmail.com ([65.54.190.19]) by BAY004-MC3F52.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.23143);
Tue, 21 Feb 2017 21:24:35 -0800
Received: from BN3SCH030020321 ([65.54.190.59]) by BAY004-OMC1S8.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.23008);
Tue, 21 Feb 2017 21:24:35 -0800
X-Message-Routing: sKFde7CS5BHygFZaC4gFZWeHmOM+Rjf1iOmv8meDbQqeD+9kHFgbAflrz5UYy6v/Ov/vRliTx0hzi7ScTgwYCoH5DCukffJ5UA9VPHW6w/UPPsBp46jf+a89V725Y4BfAGQlMYGdqAyr+BBsENUNu6hm04g==
Return-Path: account-security-noreply@account.microsoft.com
From: Microsoft account team <account-security-noreply@account.microsoft.com>
To: <>
Date: Tue, 21 Feb 2017 21:24:34 -0800
Subject: Microsoft account unusual sign-in activity
X-MSAPipeline: MessageDispatcher
Message-ID: <3JG2AW2TL0U4.ZUV66LB2RSDC2@BN3SCH030020321>
X-MSAMetaData: =?us-ascii?q?DWnWzvMbo5mqsC9rvsm4wDCYlNcJLDJXZSI4CfKfTmtnxQvjJa!Yl4Z*hr!J2?=
=?us-ascii?q?sAH!hwmVHaFfoR5tZn*OWJM3vhO*A5yfvSTWct0DyhXHxmtc68RgNc2tRxwYs?=
=?us-ascii?q?egSWe7rw$$?=
Content-Type: multipart/alternative; boundary="=-2XHQkboavEX/HhSEvfLa1g=="
X-OriginalArrivalTime: 22 Feb 2017 05:24:35.0345 (UTC) FILETIME=[F4619010:01D28CCB]
X-IncomingHeaderCount: 16
X-MS-Exchange-Organization-Network-Message-Id: b48c916f-53af-4010-5be1-08d45ae3355e
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa:0
X-MS-Exchange-Organization-MessageDirectionality: Incoming
CMM-sender-ip: 65.54.190.19
CMM-sending-ip: 65.54.190.19
CMM-Authentication-Results: hotmail.com; spf=pass (sender IP is 65.54.190.19;
identity alignment result is pass and alignment mode is relaxed)
smtp.mailfrom=account-security-noreply@account.microsoft.com; dkim=none
(identity alignment result is pass and alignment mode is relaxed)
header.d=account.microsoft.com; x-hmca=pass
header.id=account-security-noreply@account.microsoft.com
CMM-X-SID-PRA: account-security-noreply@account.microsoft.com
CMM-X-AUTH-Result: PASS
CMM-X-SID-Result: PASS
CMM-X-Message-Status: n:n
But then again, why couldn't they copy that banner on spam?
So I looked at the headers and it seems more legit than spam usually. I think it's still spam, but what's the indication to check for?
Received: from SN1NAM04HT204.eop-NAM04.prod.protection.outlook.com
(10.160.24.39) by DM5PR2001MB1737.namprd20.prod.outlook.com with HTTPS via
BLUPR07CA084.NAMPRD07.PROD.OUTLOOK.COM; Wed, 22 Feb 2017 05:25:27 +0000
Received: from SN1NAM04FT046.eop-NAM04.prod.protection.outlook.com
(10.152.88.58) by SN1NAM04HT204.eop-NAM04.prod.protection.outlook.com
(10.152.89.69) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.919.10; Wed, 22
Feb 2017 05:25:26 +0000
Authentication-Results: spf=pass (sender IP is 65.54.190.19)
smtp.mailfrom=account.microsoft.com; hotmail.com; dkim=none (message not
signed) header.d=none;hotmail.com; dmarc=pass action=none
header.from=account.microsoft.com;
Received-SPF: Pass (protection.outlook.com: domain of account.microsoft.com
designates 65.54.190.19 as permitted sender) receiver=protection.outlook.com;
client-ip=65.54.190.19; helo= BAY004-OMC1S8.hotmail.com;
Received: from BAY004-MC3F52.hotmail.com (10.152.88.54) by
SN1NAM04FT046.mail.protection.outlook.com (10.152.89.118) with Microsoft SMTP
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id
15.1.919.10 via Frontend Transport; Wed, 22 Feb 2017 05:25:26 +0000
X-IncomingTopHeaderMarker: OriginalChecksum:EC3F2CA9BBD223FB154B6BCF0C5973E9E91B5CD0E7187C787ABF4F8559DE4F7E;UpperCasedChecksum:50F54F307397634D4A0FB5689D7FCFEDE9A2934525F0ABCF8D30C88BC85A0015;SizeAsReceived:1359;Count:16
Received: from BAY004-OMC1S8.hotmail.com ([65.54.190.19]) by BAY004-MC3F52.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.23143);
Tue, 21 Feb 2017 21:24:35 -0800
Received: from BN3SCH030020321 ([65.54.190.59]) by BAY004-OMC1S8.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.23008);
Tue, 21 Feb 2017 21:24:35 -0800
X-Message-Routing: sKFde7CS5BHygFZaC4gFZWeHmOM+Rjf1iOmv8meDbQqeD+9kHFgbAflrz5UYy6v/Ov/vRliTx0hzi7ScTgwYCoH5DCukffJ5UA9VPHW6w/UPPsBp46jf+a89V725Y4BfAGQlMYGdqAyr+BBsENUNu6hm04g==
Return-Path: account-security-noreply@account.microsoft.com
From: Microsoft account team <account-security-noreply@account.microsoft.com>
To: <>
Date: Tue, 21 Feb 2017 21:24:34 -0800
Subject: Microsoft account unusual sign-in activity
X-MSAPipeline: MessageDispatcher
Message-ID: <3JG2AW2TL0U4.ZUV66LB2RSDC2@BN3SCH030020321>
X-MSAMetaData: =?us-ascii?q?DWnWzvMbo5mqsC9rvsm4wDCYlNcJLDJXZSI4CfKfTmtnxQvjJa!Yl4Z*hr!J2?=
=?us-ascii?q?sAH!hwmVHaFfoR5tZn*OWJM3vhO*A5yfvSTWct0DyhXHxmtc68RgNc2tRxwYs?=
=?us-ascii?q?egSWe7rw$$?=
Content-Type: multipart/alternative; boundary="=-2XHQkboavEX/HhSEvfLa1g=="
X-OriginalArrivalTime: 22 Feb 2017 05:24:35.0345 (UTC) FILETIME=[F4619010:01D28CCB]
X-IncomingHeaderCount: 16
X-MS-Exchange-Organization-Network-Message-Id: b48c916f-53af-4010-5be1-08d45ae3355e
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa:0
X-MS-Exchange-Organization-MessageDirectionality: Incoming
CMM-sender-ip: 65.54.190.19
CMM-sending-ip: 65.54.190.19
CMM-Authentication-Results: hotmail.com; spf=pass (sender IP is 65.54.190.19;
identity alignment result is pass and alignment mode is relaxed)
smtp.mailfrom=account-security-noreply@account.microsoft.com; dkim=none
(identity alignment result is pass and alignment mode is relaxed)
header.d=account.microsoft.com; x-hmca=pass
header.id=account-security-noreply@account.microsoft.com
CMM-X-SID-PRA: account-security-noreply@account.microsoft.com
CMM-X-AUTH-Result: PASS
CMM-X-SID-Result: PASS
CMM-X-Message-Status: n:n