Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Potential Phish You've got a money request.msg

Overview

General Information

Sample name:	Potential Phish You've got a money request.msg
Analysis ID:	1467206
MD5:	41500f64419de80eac26fd857b880c94
SHA1:	fe73c7ade9233ce9a00758c7bf2142abdc5bb5fd
SHA256:	d0b1d918b8b170225a54ba7a9143f00af13f9d0cb6a8f4c3f0fccae494c507c0
Infos:

Detection

Score:	1
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Queries the volume information (name, serial number etc) of a device

Sigma detected: Office Autorun Keys Modification

Classification

×

Process Tree

System is w10x64_ra

OUTLOOK.EXE (PID: 5408 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\Potential Phish You've got a money request.msg" MD5: 91A5292942864110ED734005B7E005C0)

ai.exe (PID: 2648 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "3303C4FD-6329-4331-8D0C-933892C5C58B" "AFD87D58-9C78-4025-97EA-3E5DB17428DF" "5408" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)

cleanup

Yara Signatures

⊘No yara matches

Sigma Signatures

Sigma detected: Office Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 5408, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: classification engine

Classification label: clean1.winMSG@3/7@0/56

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20240703T1506300945-5408.etl

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\Potential Phish You've got a money request.msg"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "3303C4FD-6329-4331-8D0C-933892C5C58B" "AFD87D58-9C78-4025-97EA-3E5DB17428DF" "5408" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "3303C4FD-6329-4331-8D0C-933892C5C58B" "AFD87D58-9C78-4025-97EA-3E5DB17428DF" "5408" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: c2r64.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: gpapi.dll

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4}\InprocServer32

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Window found: window name: SysTabControl32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Process information queried: ProcessInformation

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe

Queries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformation

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Masquerading	OS Credential Dumping	1 Process Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	12 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

⊘No Antivirus matches

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
52.113.194.132	unknown	United States		8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
2.19.126.160	unknown	European Union		16625	AKAMAI-ASUS	false
20.189.173.18	unknown	United States		8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
52.109.89.19	unknown	United States		8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
184.28.90.27	unknown	United States		16625	AKAMAI-ASUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1467206
Start date and time:	2024-07-03 21:05:39 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Sample name:	Potential Phish You've got a money request.msg
Detection:	CLEAN
Classification:	clean1.winMSG@3/7@0/56
Cookbook Comments:	Found application associated with file extension: .msg

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Excluded IPs from analysis (whitelisted): 20.166.126.56
Excluded domains from analysis (whitelisted): fe3.delivery.mp.microsoft.com, slscr.update.microsoft.com, glb.cws.prod.dcat.dsp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: Potential Phish You've got a money request.msg

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	231348
Entropy (8bit):	4.3825328511681
Encrypted:	false
SSDEEP:
MD5:	A1A4E3216E701E6FBABA2D47D5484CF3
SHA1:	F9033EF3F108116F5CA896E044FFC49691C09411
SHA-256:	93E951D18436EC8490265373E85EB94AA79A564D9F65969C1CED5C35084B26EA
SHA-512:	2F260447004B41311582CABFF7D40701B41D158AA9A41EF024A9415DBC3FF2063F838FF71C7D1AFC578D2D12DB29E3E5345DCCA2A9B6001799A0BCEDFDF4AF82
Malicious:	false
Reputation:	unknown
Preview:	TH02...... .@...\|.......SM01X...,...p...\|...........IPM.Activity...........h...............h............H..h<........v.R...h........`...H..h\cal ...pDat...h8...0..........h.q.9...........h........_`Rk...h6r.9@...I.lw...h....H...8.Wk...0....T...............d.........2h...............k..............!h.............. h.#............#h....8.........$h`.......8....."hp.......P.....'h..............1h.q.9<.........0h....4....Wk../h....h.....WkH..hX...p...<.....-h ............+hrp.9....0................... ..............F7..............FIPM.Activity....Form....Standard....Journal Entry...IPM.Microsoft.FolderDesign.FormsDescription................F.k..........1122110020000000....Microsoft...This form is used to create journal entries.........kf...... ..........&...........(.......(... ...@.....................................................................................................................fffffffff........wwwwwwww.p....pp..............p...............pw..............pw..DDDDO..

C:\Users\user\AppData\Local\Microsoft\FontCache\4\Catalog\ListAll.Json

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	JSON data
Category:	dropped
Size (bytes):	521377
Entropy (8bit):	4.9084889265453135
Encrypted:	false
SSDEEP:
MD5:	C37972CBD8748E2CA6DA205839B16444
SHA1:	9834B46ACF560146DD7EE9086DB6019FBAC13B4E
SHA-256:	D4CFBB0E8B9D3E36ECE921B9B51BD37EF1D3195A9CFA1C4586AEA200EB3434A7
SHA-512:	02B4D134F84122B6EE9A304D79745A003E71803C354FB01BAF986BD15E3BA57BA5EF167CC444ED67B9BA5964FF5922C50E2E92A8A09862059852ECD9CEF1A900
Malicious:	false
Reputation:	unknown
Preview:	{"MajorVersion":4,"MinorVersion":40,"Expiration":14,"Fonts":[{"a":[4294966911],"f":"Abadi","fam":[],"sf":[{"c":[1,0],"dn":"Abadi","fs":32696,"ful":[{"lcp":983041,"lsc":"Latn","ltx":"Abadi"}],"gn":"Abadi","id":"23643452060","p":[2,11,6,4,2,1,4,2,2,4],"sub":[],"t":"ttf","u":[2147483651,0,0,0],"v":197263,"w":26215680},{"c":[1,0],"dn":"Abadi Extra Light","fs":22180,"ful":[{"lcp":983042,"lsc":"Latn","ltx":"Abadi Extra Light"}],"gn":"Abadi Extra Light","id":"17656736728","p":[2,11,2,4,2,1,4,2,2,4],"sub":[],"t":"ttf","u":[2147483651,0,0,0],"v":197263,"w":13108480}]},{"a":[4294966911],"f":"ADLaM Display","fam":[],"sf":[{"c":[536870913,0],"dn":"ADLaM Display Regular","fs":140072,"ful":[{"lcp":983040,"lsc":"Latn","ltx":"ADLaM Display"}],"gn":"ADLaM Display","id":"31965479471","p":[2,1,0,0,0,0,0,0,0,0],"sub":[],"t":"ttf","u":[2147491951,1107296330,0,0],"v":131072,"w":26215680}]},{"a":[4294966911],"f":"Agency FB","fam":[],"sf":[{"c":[536870913,0],"dn":"Agency FB Bold","fs":54372,"ful":[{"lcp":9830

C:\Users\user\AppData\Local\Microsoft\FontCache\4\PreviewFont\flat_officeFontsPreview_4_40.ttf

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	TrueType Font data, 10 tables, 1st "OS/2", 7 names, Microsoft, language 0x409, \251 2018 Microsoft Corporation. All Rights Reserved.msofp_4_40RegularVersion 4.40;O365
Category:	dropped
Size (bytes):	773040
Entropy (8bit):	6.55939673749297
Encrypted:	false
SSDEEP:
MD5:	4296A064B917926682E7EED650D4A745
SHA1:	3953A6AA9100F652A6CA533C2E05895E52343718
SHA-256:	E04E41C74D6C78213BA1588BACEE64B42C0EDECE85224C474A714F39960D8083
SHA-512:	A25388DDCE58D9F06716C0F0BDF2AEFA7F68EBCA7171077533AF4A9BE99A08E3DCD8DFE1A278B7AA5DE65DA9F32501B4B0B0ECAB51F9AF0F12A3A8A75363FF2C
Malicious:	false
Reputation:	unknown
Preview:	........... OS/29....(...`cmap.s.,.......pglyf..&....\|....head2..........6hheaE.@v.......$hmtx...........@loca.U.....8...Dmaxp........... name.P+........post...<...... .........b~1_.<...........<......r......Aa...................Q....Aa....Aa.........................~...................................................3..............................MS .@.......(...Q................. ...........d...........0...J.......8.......>..........+a..#...,................................................/...K.......z...............N.........!...-...+........z.......h..%^..3...&j..+...+%..'R..+..."....................k......$A...,.......g...&...=.......X..&..............&....B..(B...............#.......j...............+...P...5...@...)..........#...)Q..................{.. ....?..'...#....N...7......<...;>.............. ]...........5......#....s.......$.......$.......^..................+...>....H.......%...7.......6.......O...V...........K......"........c...N......!...............$...&...p..

C:\Users\user\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntities.bin

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	322260
Entropy (8bit):	4.000299760592446
Encrypted:	false
SSDEEP:
MD5:	CC90D669144261B198DEAD45AA266572
SHA1:	EF164048A8BC8BD3A015CF63E78BDAC720071305
SHA-256:	89C701EEFF939A44F28921FD85365ECD87041935DCD0FE0BAF04957DA12C9899
SHA-512:	16F8A8A6DCBAEAEFB88C7CFF910BCCC71B76A723CF808B810F500E28E543112C2FAE2491D4D209569BD810490EDFF564A2B084709B02963BCAF6FDF1AEEC59AC
Malicious:	false
Reputation:	unknown
Preview:	51253fe60063c31af0d295afb42228b0:v2:2:1:1590:2:8479:76bd602437550e98c9043d06a55186ab7d95dea5a0e935a599f73e62a8c9b158e0afcb19351f6c353940c06a38172b94d18c02cf92bb8a80184eccca0392b259ab3e71dae73e491c7941997cb36ad4a198661f622dad478d840f66d530a0dde78acea3367f91fff62fbb3dc18faff0c708ad30edef5bea8b22c5fd782b770d8993386eaa784fd19a3c3e1db3b537b1a94d3d4fbd46f8df8fddf6d16611969fe0a97c50e0f3ac24750c93257cf5c161184aa7385800c87d803b339632a3d8ec7fe17a0afd83ce9e9d0e3f7b8d579637928a811f1f7e6d1887df2ddc7d4f752c4d600235e426c92c7bf8a1362f95457998cc0e5d4261f0efa4fada0f866dbcefb407dacab7a2914e91c2f08200f38c2d9d621962145b1464b0f204b326118a53ecdcab22bff005fdd5257c99a6dc51ac0600a49f2ef782396987e78c08b846dad5db55e8ccefffc64863bc2c3e90b95a09d25d0814a848c98fe01a82d4e30e6682dd546e12c45ca0d280a45295ab4bd632dafb070edfdc3c9e38313d5aeb195972986f8011b66817028fd8c78b67a0ac7e780eecc3fb6a31f5a025b8a9a3db278a98c0696aeaac739b18688b0f9c7d751bba02cc5f4e41853fb119b3c0c915059aaa92971244a1989124f12881ca88e6410df70b793a2c3a736ff4

C:\Users\user\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntitiesUpdated.bin

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	10
Entropy (8bit):	2.9219280948873623
Encrypted:	false
SSDEEP:
MD5:	F13207BE2223E7BCAAB0D93371CCBF0C
SHA1:	998324AC5D980ACCD37A5B32982D6E0FA69E76C0
SHA-256:	DA26E0C9A70A9C06319622E506DB908052166C2DDAFB6523FFD8707E8282F665
SHA-512:	AAED0D9D441005DED491A327114EC64499E8269CE303F9971ECBC10685A3B84FDF0D8B15417AEF8AA4CB413AE009C329246679BB08476F5FCFF693B1C0CA4EE2
Malicious:	false
Reputation:	unknown
Preview:	1720033594

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-journal

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	SQLite Rollback Journal
Category:	dropped
Size (bytes):	4616
Entropy (8bit):	0.1384465837476566
Encrypted:	false
SSDEEP:
MD5:	8C6D86C1C78F4BAB1F1132AB21A8A792
SHA1:	9F63072F3EBE007CA58CAB2E8F7A1D35363C9E23
SHA-256:	6EA062F8856E91D78F19AA3AA2D449C1F524F83EF1C81A9E7E7674D51AF47260
SHA-512:	9FB96FF7621CEC2BD1657FA50FBF87C06E1E7175261CA6281FEDEF5A27B94DEE7B0743DF4B03874EEE29201CE54C712843778D96B53DDE572616A1DFA08EFAA2
Malicious:	false
Reputation:	unknown
Preview:	.... .c........u....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................SQLite format 3......@ ..........................................................................K.................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	modified
Size (bytes):	30
Entropy (8bit):	1.2389205950315936
Encrypted:	false
SSDEEP:
MD5:	46A8103D2C050F6EB86ECDFF85C9CCD7
SHA1:	72BE00E191DFD4FE7837399C599523BFF188690B
SHA-256:	EE21E58FF152A68ADCF2E9A36138A3AC93529E2F7078A6332811FE46A0138876
SHA-512:	BDAA4F4491AFDAB6F766D66DCB59945401317DCB6F43EC50AF130D2811C0BAB9DE24541AAF8885A062BA74FC79F9DADE7B1862D91094FDA591A67BBE1C7FE667
Malicious:	false
Reputation:	unknown
Preview:	....N(........................

Static File Info

General

File type:	CDFV2 Microsoft Outlook Message
Entropy (8bit):	5.535197476342192
TrID:	Outlook Message (71009/1) 58.92% Outlook Form Template (41509/1) 34.44% Generic OLE2 / Multistream Compound File (8008/1) 6.64%
File name:	Potential Phish You've got a money request.msg
File size:	203'776 bytes
MD5:	41500f64419de80eac26fd857b880c94
SHA1:	fe73c7ade9233ce9a00758c7bf2142abdc5bb5fd
SHA256:	d0b1d918b8b170225a54ba7a9143f00af13f9d0cb6a8f4c3f0fccae494c507c0
SHA512:	a8da605ee092fdcdf49bef182b5f235b1804fa80a1df565e43e3131087c614f675cf4c6a2b182b382617d83aec9d63367aa3072a98104ebf87791e6296f6f784
SSDEEP:	3072:A8MolBONHseUbt6gM3Ld/Ovs83LIshbMr+K3Hxwi:t3lcNHseUbQJMIs1Mr+KXxf
TLSH:	7B14B51026EA0615F1B39B759EF2A592DA677C42AE30CA8D319C730E4773D41AC61F3B
File Content Preview:	........................>.......................................................\......._......................................................................................................................................................................

Static Mail

General

Subject:	Potential Phish: You've got a money request
From:	Lauren T Haynes <Lauren.Haynes@myLRH.org>
To:	IT Tech Sec <ITTEchSec@myLRH.org>
Cc:
BCC:
Date:	Wed, 03 Jul 2024 19:08:14 +0200
Communications:	---------- Begin Email Headers ---------- Received: from PRDPWCEXCH04.lrmcad.lrmcnet.com (172.23.129.68) by PRDPWCEXCH02.lrmcad.lrmcnet.com (172.23.129.66) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.11 via Mailbox Transport; Wed, 3 Jul 2024 12:15:45 -0400 Received: from PRDPWCEXCH03.lrmcad.lrmcnet.com (172.23.129.67) by PRDPWCEXCH04.lrmcad.lrmcnet.com (172.23.129.68) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.11; Wed, 3 Jul 2024 12:15:44 -0400 Received: from mx0a-00024d01.pphosted.com (192.168.244.21) by PRDPWCEXCH03.lrmcad.lrmcnet.com (172.23.129.67) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.11 via Frontend Transport; Wed, 3 Jul 2024 12:15:44 -0400 Received: from pps.filterd (m0307739.ppops.net [127.0.0.1]) by mx0a-00024d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 463DYr92029806 for <lauren.borelli@mylrh.org>; Wed, 3 Jul 2024 12:15:43 -0400 Authentication-Results: ppops.net; spf=pass smtp.mailfrom=bounces+SRS=Ll7mo=OD@BrownKellyAssociates.onmicrosoft.com; dkim=pass header.s=default header.d=donotreplymaster.com; dkim=pass header.s=pp-dkim1 header.d=paypal.com; dmarc=pass header.from=paypal.com Received: from eur05-db8-obe.outbound.protection.outlook.com (mail-db8eur05on2102.outbound.protection.outlook.com [40.107.20.102]) by mx0a-00024d01.pphosted.com (PPS) with ESMTPS id 4032xc2vk8-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for <lauren.borelli@mylrh.org>; Wed, 03 Jul 2024 12:15:42 -0400 (EDT) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ZS2bZzfJ5hTWAzP+jteJvymTU2Pvf9mS8w6oHq2csOlMw4ld42lnLtzgrmohuFOFVTq4WgwoiKcuhxjAvjlC0XOFgmGv7EDkHZwywg9MciwwAaD3XeR3GGsh8dEio6QHDijfO24JjpSa4cjT6nMX6NjVFep+g1vHsADmQmsTmqJ1pjRkntoBrUjd+VnPsn6ZoeHqf8Wl1/yQVgNQ1eUTw5URSYjP83Bhpog0hdpIwAE6/4odfCz/U/GVip9o7Pb+zIH/WzogZ/DMq+akIMoDFsIJiu1yRfd47IluRsqbPN+L5WBeXHhOwZztI41USyxy6Wbb81c+Rzm0CZ5f267rxQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=IxAF//CyY/7iV12CSC3ntOn693UJo2Z0nw41pI+gxRQ=; b=CfcOB4BUQCvHj4zhqxonRyQUIQJB1aeBeb89SnQ5VymnnPMuzsrcJBtPUaTnq7UxyEJUOmJkdltm+h9RjxgVAF/Sb1sPXBrSUnAFV2jj340w3H5iys70rO61U6AkiNVrAeaBg+9L2iN8scnXSHQxJxIiuidheiU0Y9DUQ8F/TLiTl0Hutzeg2ZhTle61zBpB492+a+UmlFV9Q3GAPn9zk2Le9P7sgKboxSs1CAN5NNYGeV7JDCK5usiK6reqdEhuxZd4kTk9N3NbqqgjHtiWjohwh3n+BdSMw3CS81/90wdhQPEF6riPui5uA9pB8MKc/+34TimokdmbFG5LfTjxNw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 203.161.63.153) smtp.rcpttodomain=brownkellyassociates.onmicrosoft.com smtp.mailfrom=donotreplymaster.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=paypal.com; dkim=pass (signature was verified) header.d=donotreplymaster.com; dkim=pass (signature was verified) header.d=paypal.com; arc=none (0) Received: from PA4PR07MB8622.eurprd07.prod.outlook.com (2603:10a6:102:270::22) by DU2PR07MB8332.eurprd07.prod.outlook.com (2603:10a6:10:2e7::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7741.25; Wed, 3 Jul 2024 16:15:35 +0000 Received: from VI1PR07MB4829.eurprd07.prod.outlook.com (2603:10a6:803:ad::21) by PA4PR07MB8622.eurprd07.prod.outlook.com (2603:10a6:102:270::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7741.21; Wed, 3 Jul 2024 16:15:14 +0000 Received: from VI1PR07MB4829.eurprd07.prod.outlook.com ([fe80::bafb:f2a0:1d53:bba4]) by VI1PR07MB4829.eurprd07.prod.outlook.com ([fe80::bafb:f2a0:1d53:bba4%5]) with mapi id 15.20.7741.011; Wed, 3 Jul 2024 16:15:14 +0000 Received: from DB3PR08CA0018.eurprd08.prod.outlook.com (2603:10a6:8::31) by DBBPR07MB7515.eurprd07.prod.outlook.com (2603:10a6:10:1e0::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7741.23; Wed, 3 Jul 2024 16:14:54 +0000 Received: from DB1PEPF000509E3.eurprd03.prod.outlook.com (2603:10a6:8:0:cafe::40) by DB3PR08CA0018.outlook.office365.com (2603:10a6:8::31) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7741.25 via Frontend Transport; Wed, 3 Jul 2024 16:14:54 +0000 Received-SPF: Pass (protection.outlook.com: domain of donotreplymaster.com designates 203.161.63.153 as permitted sender) receiver=protection.outlook.com; client-ip=203.161.63.153; helo=server1.donotreplymaster.com; pr=C Received: from server1.donotreplymaster.com (203.161.63.153) by DB1PEPF000509E3.mail.protection.outlook.com (10.167.242.53) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.7677.15 via Frontend Transport; Wed, 3 Jul 2024 16:14:52 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=donotreplymaster.com; s=default; h=MIME-Version:From:To:Subject:Message-ID: Date:Content-Type:Content-Transfer-Encoding:Resent-Message-ID:Resent-Date: Resent-To:Resent-From:Sender:Reply-To:Cc:Content-ID:Content-Description: Resent-Sender:Resent-Cc:In-Reply-To:References:List-Id:List-Help: List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=IxAF//CyY/7iV12CSC3ntOn693UJo2Z0nw41pI+gxRQ=; b=eULW+G5jmDkDQspYKY+EVgywNk InnU+Z/ToCS6g9NcNrU8cu8LHmyHRs0NVVJ38BmAxvnhNe8G+fidyPAfvAvOy63n0/dkXT0eYV6fm 3Dz8BTWJRk/2ipWzlyhBhBEdpolPA4NErAZUiYUFCgo89FxG9K9bZcax3Y9tYM+OnMMKjKikIxSaZ jWnMDO/FG7VdZcBi99rHo7H1M1FD2f1rlnliTfGST30Xha+JEBvhVKzB0szKDfd3PHhxj03Vkw/si jFM/oPfjFJl4kIhjmC4m5tXdO378H6POu7V1UvbqwAGcBzTJ6PC2nVwaYDC3YbzJXJlTACJs+SMPm syht6t0A==; Received: from [::1] (port=35414 helo=server1.donotreplymaster.com) by server1.donotreplymaster.com with esmtpa (Exim 4.97.1) (envelope-from <noreply123@donotreplymaster.com>) id 1sOysq-00000000YD6-2Oyj for Noreply@BrownKellyAssociates.onmicrosoft.com; Wed, 03 Jul 2024 16:14:49 +0000 Resent-From: noreply123@donotreplymaster.com Resent-To: undisclosed-recipients:; Resent-Date: Wed, 03 Jul 2024 16:14:49 +0000 Resent-Message-ID: <5acdfcb1453407bbc5471949f6da94a4@donotreplymaster.com> Delivered-To: noreply123@donotreplymaster.com Received: from server1.donotreplymaster.com by server1.donotreplymaster.com with LMTP id YDO8BVJchWZR1gEAdqgokg (envelope-from <service@paypal.com>) for <noreply123@donotreplymaster.com>; Wed, 03 Jul 2024 14:12:34 +0000 Received: from mx5.phx.paypal.com ([66.211.170.85]:55189) by server1.donotreplymaster.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.97.1) (envelope-from <service@paypal.com>) id 1sOwyS-00000000VLA-1wMW for noreply123@donotreplymaster.com; Wed, 03 Jul 2024 14:12:34 +0000 DKIM-Signature: v=1; a=rsa-sha256; d=paypal.com; s=pp-dkim1; c=relaxed/relaxed; q=dns/txt; i=@paypal.com; t=1720015909; h=From:From:Subject:Date:To:MIME-Version:Content-Type; bh=IxAF//CyY/7iV12CSC3ntOn693UJo2Z0nw41pI+gxRQ=; b=o1T/R8W3UDOgEApPgrOE+KmGTpwHhfvLYuxnHdzhU0ITGCXoMQbz+OEpnx9MydVF NAdCJ+99kJRKwMYpiCyqlaOz7yg9YftX0sD4fc7FqnogJAbfsol6fk83k7xc0k0e MjpR9NP+RNIxzpR9rS1XERAWK+fbIJfqEfrhGWaYeXTllZ3krDJx7WTC3iMoibu3 3JyZnhkM6KHrVuq5F8nDHypE8xWFo1eHaIXCJTnahYFETl6P420xKK0PA0ojAIvh Bzl7E5Gib3JVHKAdD6DM5TTtH0wJWfJ3CoU5S74tPs+ffHdXuhF0ArACF/QsXGnY 2lUrpj09d1rhEE7/t1Edmw==; Date: Wed, 03 Jul 2024 07:11:49 -0700 Message-ID: <A9.E4.04374.52C55866@ccg01mail01> X-PP-REQUESTED-TIME: 1720015902910 X-PP-Email-transmission-Id: 2ee6a23c-3946-11ef-a1cc-3cfdfeef7e5d PP-Correlation-Id: f801159cd6a88 Subject: You've got a money request X-MaxCode-Template: PPC001017 To: <noreply123@donotreplymaster.com> From: "service@paypal.com" <service@paypal.com> X-Email-Type-Id: PPC001017 X-PP-Priority: 0-none-false AMQ-Delivery-Message-Id: nullval X-XPT-XSL-Name: nullval X-Spam-Status: No, score=-7.1 X-Spam-Score: -70 X-Spam-Bar: ------- X-Ham-Report: Spam detection software, running on the system "server1.donotreplymaster.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see root\@localhost for details. Content preview: You've got a money request noreply123@donotreplymaster. com, here are the request details. Hello, noreply123@donotreplymaster. com Tonya Lambert sent you a money request Content analysis details: (-7.1 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -7.5 USER_IN_DEF_DKIM_WL From: address is in the default DKIM welcome-list 0.0 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [66.211.170.85 listed in sa-trusted.bondedsender.org] 0.0 HTML_MESSAGE BODY: HTML included in message 0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts 0.5 KAM_REALLYHUGEIMGSRC RAW: Spam with image tags with ridiculously huge http urls 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.0 LOTS_OF_MONEY Huge... sums of money -0.0 DKIMWL_WL_HIGH DKIMwl.org - High trust sender X-Spam-Flag: NO X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - server1.donotreplymaster.com X-AntiAbuse: Original Domain - brownkellyassociates.onmicrosoft.com X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - donotreplymaster.com X-Get-Message-Sender-Via: server1.donotreplymaster.com: authenticated_id: noreply123@donotreplymaster.com X-Authenticated-Sender: server1.donotreplymaster.com: noreply123@donotreplymaster.com X-Source: X-Source-Args: X-Source-Dir: X-EOPAttributedMessage: 0 X-EOPTenantAttributedMessage: bf6af8f2-b542-4a79-8985-917163e3d26a:0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DB1PEPF000509E3:EE_\|DBBPR07MB7515:EE_\|PA4PR07MB8622:EE_\|DU2PR07MB8332:EE_ X-MS-Office365-Filtering-Correlation-Id: b89aa9e8-7bbc-4f0f-7acb-08dc9b7b467d X-Moderation-Data: 7/3/2024 4:15:12 PM X-LD-Processed: bf6af8f2-b542-4a79-8985-917163e3d26a,ExtAddr,ExtAddr X-MS-Exchange-SenderADCheck: 0 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040\|34036016\|1032899013\|48200799018\|376014\|7416014\|586017\|69100299015\|41320700013\|61400799027\|102250200026; X-Microsoft-Antispam-Message-Info: TBxMS1H0Vh+gTdY8ZSzl3OeoupuYRdexxFPQ5fSEiJ5L9PosVzZS5lNt/LFZdWjcqLCWw+8w5E+ybKxrYQoBWhbeQF+vAoDcF3XvGPjrihpXJiw9cGHU/mJczP0x2Q4PzlOjtbF838lJFm5YTK0salUaTyBo4LlbFAg7ZVMDr3ImoEnRmTCtkKw6u3F2yg2Db+nfwo8mzYzLrHpBcZ+xs7OB3KPFu372QwGzr8TsR3wg4RIaZqj0zj0mVRJEusWsg908K4Ztl7kt6UztWpV/udSenqHOE8kFMEc09jrabEBjD+vI9dKNgpe5cIoDaGu7J8loGHbLQKq639qzKvE+NhumEHUjSyxjvp4YnxBfqocUpRqATpeMvD+9ss73M2vUcvGcVKO+3Qk31ypSBqOhtk1Syf1ftl8HEtbrpziY/s0VG9b3htrKMyz4/kCWaoZiVTpAkQaE8Zj1pfLa7YhRxIJrd3RyE2EmsFZm3ELAcRxms/O8kTqtfWW7NEFxr46k1J5gV/is0M0E58Uan0o1f7BGPjYPMxqWZv08Eujem8N0RXXiJcwBg7HpDUAwuew/7QE5qmRm4m+bVpf3jBUWoikenlyF4wYrIn3Z3RzKLAIXtpYZacHv0bEJjTP4sUN5HmH0tMV6534ondoVBFvppZnUxxuGRbsdbUdRexAEwAduq/VanIJ380yXzq+zgC8FvtGgAvIEZZj13uSwxtxhwVvnXU5uQzw/Hk2eRRZcmLlBYwo8cw4ykrt3jzPIi2O6ZtsfRqJfZHx+yRvug8tQ5x8jL8dQwANz0/MUvFXgYlUSdUXEkDnxSWtbQV2TtLkJ8Hzzs9YXLIW79zH+SgU+JNMCHn/70WFHL24J4OKfuP337kdg1qkm+BFlR2eAtEhzhBYnZQEP8W5FvOI2KC59OikgMqq6C2c733OQM0XLxMdElC/Jm+Bhrn72MYJv2I3NxOJSqSGAAtVWM5cGMxhCJm+T6+QCQRABb7wg4P+Jqs22lH1Jl15gyqyUADSUiNme06Z1K9JaOL3+Mlm9QbMt0O11csSOvIZVkNUCJfkCHkEhBV96NZof9d2Br3CoV3Iuip5iwHtbnYfwE8plyiRzaZxHMPI4b9wM2m3r+39er5O9uQaQGNSkY9QXfJV6YGiKL1eAsMdp9Jeo6ChxY8BGPlMSi5zfYGikx41we0Nf2z5DzokMGVOcSRARgCkgRwO1tHn/hSeSr9W7yA3BVYZzigLHMCMoEk+bcdv0/CsHQziR1Wj6PyE5+0GturAouHWbdgGk6wKzjCyIBaAlmf9btkdaOpL4c7kDFrrnPKqo08Bx/Tk3SWYCRB3xFR6yKjwMCbyR7iK0E0k8oQax6Ml2KrJQI2ZCeEUxZzxRUtFT7jdEtGTtwGHKAxEVFOoOyuoa X-Forefront-Antispam-Report: CIP:203.161.63.153;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:server1.donotreplymaster.com;PTR:server1.donotreplymaster.com;CAT:NONE;SFS:(13230040)(34036016)(1032899013)(48200799018)(376014)(7416014)(586017)(69100299015)(41320700013)(61400799027)(102250200026);DIR:OUT;SFP:1102; X-Auto-Response-Suppress: DR, OOF, AutoReply X-MS-Exchange-CrossTenant-Network-Message-Id: b89aa9e8-7bbc-4f0f-7acb-08dc9b7b467d X-MS-Exchange-CrossTenant-Id: bf6af8f2-b542-4a79-8985-917163e3d26a X-MS-Exchange-CrossTenant-AuthSource: DB1PEPF000509E3.eurprd03.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: Internet X-MS-Exchange-CrossTenant-OriginalArrivalTime: 03 Jul 2024 16:15:14.1697 (UTC) X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: Uo4LkzYK673AF2Z9axKGgkq3andP2InmPKvDd7YbVSwmjpY2mlqXu2+t5HqRuVqgPpFFo5KQCPmQUOnSYrDjckD/yc3UW1LJxCmwosHUUgyCsEpafnfzOoKT8Zhbgh3G7GPsdF9P7RSGe6BaaakQvQn01i8PjQzAiw2q3nKbJVMHtKJsGYAm1LEY8c2i5OZakvnCCXH0QqMrMJyI5ocEqdsUK+ikYcSD/2/GpLf0c0KLqEMBzxJgFWC89qrOwx68tBAVMaEX5NnuVzX1Bq29rQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DU2PR07MB8332 X-CLX-Response: 1TFkXHhwfEQpMehceHBoRCllEF2QTT3BwHHxBHEMZEQpYWBdkGXt+UkYSG29 naREKeE4XZ0QTExtAc05GG0ERCnlMF29IRH8eXFBDThhfEQpDSBcHGx4YEQpDWRcHGx0cEQpDSR caBBoaGhEKWU0XZ2ZyEQpZSRcbGRxxGxsQGncGGxIScRgcHB4dEBkeHXcGGBoGGxgaEQpZXhdsb HkRCklGF0ZLQU9GS0ROR09OdUJFWV5PThEKSUcXeE9NEQpDThdzfnpOUhkbbUhfYAcTQkd+Q0Zr em4dXGJzWW1TGk1jWREKWFwXHwQaBBkcHAUbGgQbGhoEGxkeBBkeEBseGh8aEQpeWRdOX1IZYBE KTVwXGRgbEQpMWhdoZUIaTREKTU4XaGgRCkxGF29va29ra24RCkJPF2JsXWtsHnxyXnNPEQpDWh cYGhkEGxwbBBwZBBsfGREKQl4XGxEKWUUXGREKRUkXGxEKRWYXHhEKQlwXGxEKXk4XGxEKQksXZ 0QTExtAc05GG0ERCkJJF2dEExMbQHNORhtBEQpCRRdneRNFXGEba39nfhEKQk4XZ0QTExtAc05G G0ERCkJMF2QZe35SRhIbb2dpEQpCbBdkGXt+UkYSG29naREKQkAXbE1gex15HWBDXEwRCkJYF29 Ge3tOXGJ5TxJkEQpaWBcZEQp5Qxdkax0aQGMbTWETbREKWUsXExsYGhEKcGgXb0cSeGdLWBJQXm wQGBoRCnBoF2dgBWxmGXxDcBpzEBgYEQpwaBdra2YTeGtZAUgeSxAZHxEKcGgXbXlBTF1Jbl9CH 2gQGhEKcGgXa05GaAV7fH5LaE0QHRkRCnBoF28dQWNhBUtZUwESEBsbHREKcGgXYB4eYmZQY05b QHgQGhEKcGgXYkBhQ2gbQR4fSV4QGB4RCnBsF2ZLGnkdYkdlE2RjEBITEQpwQxdsfVsaGmZgX3p pYRAdEhEKbX4XGhEKWE0XSxEg X-Proofpoint-GUID: YTPdx31GbuJ-9hmTilAPD7vHYsGy0gIs X-CLX-Shades: MLX X-Proofpoint-ORIG-GUID: YTPdx31GbuJ-9hmTilAPD7vHYsGy0gIs Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Proofpoint-SPF-Result: pass X-Proofpoint-SPF-Record: v=spf1 include:spf.protection.outlook.com -all X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1039,Hydra:6.0.680,FMLib:17.12.28.16 definitions=2024-07-03_11,2024-07-03_01,2024-05-17_01 X-Proofpoint-Spam-Details: rule=inbound_policy_notspam policy=inbound_policy score=0 clxscore=465 suspectscore=0 adultscore=0 spamscore=0 phishscore=0 bulkscore=0 malwarescore=0 lowpriorityscore=0 mlxlogscore=999 impostorscore=0 mlxscore=0 priorityscore=460 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2406140001 definitions=main-2407030120 domainage_hfrom=9120 Content-Type: text/html; charset="utf-8" Return-Path: bounces+SRS=Ll7mo=OD@BrownKellyAssociates.onmicrosoft.com X-MS-Exchange-Organization-Network-Message-Id: e465e9ec-e1df-4fe5-5154-08dc9b7b645e X-MS-Exchange-Organization-AuthSource: PRDPWCEXCH03.lrmcad.lrmcnet.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 10 X-TM-AS-Product-Ver: SMEX-14.0.0.3092-9.0.1002-28504.003 X-TM-AS-Result: No-10--31.837400-8.000000 X-TMASE-MatchedRID: jWUjNgV3nn84lnOUQxi46WFY8KSwwQdLSHNz9HiL++RfdXg7z35yAZCJ SqC8FQVQPA1qQZtQo2U5jS4V09dQztsoruER/XwpfeeWNV6+vcPTL2GRHAc9cYW/tZsdOkioqhI nJR+gn1KXlo6z7q0jAuAnYp7jsvQUHNWOjOwcUUBd5/m3qrxFzIo8CRj+z/phS/H4wMcRbz4eNK cVXv/iCYOzbiG14BOf7GX0c1Ulalyj3Qz+FyEjBoQg0F6EHA2oth6QveQfsqNTp2rjNTszswVVD oP9EUSHwu+3IW6z8spaOQn/1nS33Fk1hIeTdmvRb/A0Dvek739HpEd1UrzmFbQICuE7V6z94CY7 pOSMb6XcVZGYb8Z4fB5M3/u/bROjh5kaQXRvR9e3C8wTbiZlTiLiJy57nerAKJpKpGmR8G2cZ81 PGbcSHureX86zIkh4scFe58Fe2Muu4uRBVJmJbD9MSUxVkuG61tMhXOTffbB9/A4bJF/PM8fkuN c1Mv17LWN7JnJVmAlQGE1L2htEcIHfzWJnn0eo9FT709M8dJjEMxPYKpLMOxrS3SBU9vZIFxgdC UZVLXJgppcApyC7Pjn7n5Hi4hKZ4UItcGSIjj5XwDh4W0Vl06FIbih0s/42OiMkf2iIyhXlXx+C RllIJTeG2Vt0Th9tDbIypzztyI2thvtDXITJKEAXM2GkmIJPR2z2RqVFhBoTccu4N5fXyF8h0kN CYYTtSYkyhKRGIg9bkP/H72nBVpV3j1zTOBYzSv1GZ4bUQeKcpGufbGiAqD0QQIun5PzC8k7khH A2NByFClSci0DxS83P7KuqDqvMngIgpj8eDcBXwkJe8uf18Sz1GK5Ukv+Orl5SkIp7iamFsZlZc SNNhagLjOEmOMViIs7VuNl80mPNQa4a68EKwPAxRSAc0OEN9v+NNOVSdf+UTF+d+0E9qnduHRyW qFBmQjCuczCYKa4D83nCnxoRTLMYTQOfOeUM X-TM-AS-User-Approved-Sender: No X-TM-AS-User-Blocked-Sender: No X-TMASE-Result: 10--31.837400-8.000000 X-TMASE-Version: SMEX-14.0.0.3092-9.0.1002-28504.003 X-TM-SNTS-SMTP: 951DD5FAE90139A458EEAE1ED3799F0FB9792ECABD59E7E4F0ABDD83CF9E326F2000:9 X-MS-Exchange-Organization-AVStamp-Mailbox: SMEXJnq?;1944300;0;This mail has been scanned by Trend Micro ScanMail for Microsoft Exchange; X-MS-Exchange-Organization-SCL: 0 X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7508410 X-MS-Exchange-Processed-By-BccFoldering: 15.02.1544.011 ---------- End Email Headers ---------- ---------- Begin Reported Email ---------- WARNING: This email originated from outside of Lakeland Regional. Do not click links or open attachments unless you recognize the sender & are expecting the message. Click the Report Phish button if this email is suspicious. ________________________________ noreply123@donotreplymaster. com, here are the request details. Hello, noreply123@donotreplymaster. com [PayPal] Tonya Lambert sent you a money request Payment request details Amount requested $1,257.99 USD Note from Tonya Lambert: Fraud Alert: To report this, Call PayPal (888) 315-8744 Transaction ID U-96390352TN7914126 Transaction date July 3, 2024 Pay Now<https://urldefense.com/v3/__https://www.paypal.com/signin/?returnUri=2Fmyaccount2Ftransfer2FpayRequest2FU-3JY11473TD962473D2FU-96390352TN79141263FclassicUrl3D2FUS2Fcgi-bin2F3Fcmd3D_prq&id=9SEZhgLlp2ggTGNnU6KrSh0QjfRe0lPJEp7.3A&expId=p2p&onboardData=7B22signUpRequest223A7B22method223A22get222C22url223A22https3A2F2Fwww.paypal.com2Fmyaccount2Ftransfer2FguestLogin2FpayRequest2FU-3JY11473TD962473D2FU-96390352TN79141263FclassicUrl3D2FUS2Fcgi-bin2F3Fcmd3D_prq26id3D9SEZhgLlp2ggTGNnU6KrSh0QjfRe0lPJEp7.3A227D7D&flowContextData=1yiO-8WxdVjqxKDNEKyhocfUpB84m4oEpB2oVrX5biHCUcCnMN9xb_tSnbcBZ8HPTVCqJXeD-k3X7YmvIZMK3i-cJN6sFoWizCVNqboz_QeeTVHTUXe5m2VInRAjdWgerTbB-ScxLb_tJ3wEQk5f_e3RE564cg3sEZYkPafCniBGEJ3HqtX7lGWhp2haqlQQnebKF9d3y5njpMGskAdWFNdm7kcbV9rOV5K3C0VSbL1ftLmieE_x7Nh5SL4bjU11wTbVMlZxijstBIIu7rj-6NLX6nH2HyJBNoWRu0&v=1&utm_source=unp&utm_medium=email&utm_campaign=RT000186&utm_unptid=2ee6a23c-3946-11ef-a1cc-3cfdfeef7e5d&ppid=RT000186&cnac=US&rsta=en_US28en-US29&cust=&unptid=2ee6a23c-3946-11ef-a1cc-3cfdfeef7e5d&calc=f801159cd6a88&unp_tpcid=requestmoney-notifications-requestee&page=main3Aemail3ART000186&pgrp=main3Aemail&e=cl&mchn=em&s=ci&mail=sys&appVersion=1.262.0&tenant_name=&xt=1455852C1040382C124817&link_ref=www.paypal.com_signin__;JSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJQ!!KAwXmIspl3H4!sCqsA64Cvg4WM0pFvEolCRowhFYAkUcs0vijyB6mjaYegubIk6k8bJWVSgGbMIKLr5Yhx8Ox6B6pnxPUHgo-$> Don't recognize this request? Before paying, make sure you recognize this person. Don't engage with this request if you're unsure about it. PayPal won't contact you through a money request. Learn more<https://urldefense.com/v3/__https://www.paypal.com/us/security/learn?v=1&utm_source=unp&utm_medium=email&utm_campaign=RT000186&utm_unptid=2ee6a23c-3946-11ef-a1cc-3cfdfeef7e5d&ppid=RT000186&cnac=US&rsta=en_US28en-US29&cust=&unptid=2ee6a23c-3946-11ef-a1cc-3cfdfeef7e5d&calc=f801159cd6a88&unp_tpcid=requestmoney-notifications-requestee&page=main3Aemail3ART000186&pgrp=main3Aemail&e=cl&mchn=em&s=ci&mail=sys&appVersion=1.262.0&tenant_name=&xt=1455852C1040382C124817&link_ref=security_learn__;JSUlJSUlJQ!!KAwXmIspl3H4!sCqsA64Cvg4WM0pFvEolCRowhFYAkUcs0vijyB6mjaYegubIk6k8bJWVSgGbMIKLr5Yhx8Ox6B6pn8hQvwvp$> about common security threats and how to spot them. [PayPal] ________________________________ Help & Contact<https://urldefense.com/v3/__https://www.paypal.com/us/smarthelp/home?v=1&utm_source=unp&utm_medium=email&utm_campaign=RT000186&utm_unptid=2ee6a23c-3946-11ef-a1cc-3cfdfeef7e5d&ppid=RT000186&cnac=US&rsta=en_US28en-US29&cust=&unptid=2ee6a23c-3946-11ef-a1cc-3cfdfeef7e5d&calc=f801159cd6a88&unp_tpcid=requestmoney-notifications-requestee&page=main3Aemail3ART000186&pgrp=main3Aemail&e=cl&mchn=em&s=ci&mail=sys&appVersion=1.262.0&tenant_name=&xt=1455852C1040382C124817&link_ref=smarthelp_home__;JSUlJSUlJQ!!KAwXmIspl3H4!sCqsA64Cvg4WM0pFvEolCRowhFYAkUcs0vijyB6mjaYegubIk6k8bJWVSgGbMIKLr5Yhx8Ox6B6pn2alPTN_$> \| Security<https://urldefense.com/v3/__https://www.paypal.com/us/webapps/mpp/paypal-safety-and-security?v=1&utm_source=unp&utm_medium=email&utm_campaign=RT000186&utm_unptid=2ee6a23c-3946-11ef-a1cc-3cfdfeef7e5d&ppid=RT000186&cnac=US&rsta=en_US28en-US29&cust=&unptid=2ee6a23c-3946-11ef-a1cc-3cfdfeef7e5d&calc=f801159cd6a88&unp_tpcid=requestmoney-notifications-requestee&page=main3Aemail3ART000186&pgrp=main3Aemail&e=cl&mchn=em&s=ci&mail=sys&appVersion=1.262.0&tenant_name=&xt=1455852C1040382C124817&link_ref=mpp_paypal-safety-and-security__;JSUlJSUlJQ!!KAwXmIspl3H4!sCqsA64Cvg4WM0pFvEolCRowhFYAkUcs0vijyB6mjaYegubIk6k8bJWVSgGbMIKLr5Yhx8Ox6B6pn96ST4jt$> \| Apps<https://urldefense.com/v3/__https://www.paypal.com/us/webapps/mpp/mobile-apps?v=1&utm_source=unp&utm_medium=email&utm_campaign=RT000186&utm_unptid=2ee6a23c-3946-11ef-a1cc-3cfdfeef7e5d&ppid=RT000186&cnac=US&rsta=en_US28en-US29&cust=&unptid=2ee6a23c-3946-11ef-a1cc-3cfdfeef7e5d&calc=f801159cd6a88&unp_tpcid=requestmoney-notifications-requestee&page=main3Aemail3ART000186&pgrp=main3Aemail&e=cl&mchn=em&s=ci&mail=sys&appVersion=1.262.0&tenant_name=&xt=1455852C1040382C124817&link_ref=mpp_mobile-apps__;JSUlJSUlJQ!!KAwXmIspl3H4!sCqsA64Cvg4WM0pFvEolCRowhFYAkUcs0vijyB6mjaYegubIk6k8bJWVSgGbMIKLr5Yhx8Ox6B6pn05c11qt$> [Twitter]<https://urldefense.com/v3/__https://twitter.com/PayPal?v=12C0.1&utm_source=unp&utm_medium=email&utm_campaign=RT000186&utm_unptid=2ee6a23c-3946-11ef-a1cc-3cfdfeef7e5d&ppid=RT000186&cnac=US&rsta=en_US28en-US29&cust=&unptid=2ee6a23c-3946-11ef-a1cc-3cfdfeef7e5d&calc=f801159cd6a88&unp_tpcid=requestmoney-notifications-requestee&page=main3Aemail3ART000186&pgrp=main3Aemail&e=cl&mchn=em&s=ci&mail=sys&appVersion=1.262.0&tenant_name=&xt=1455852C1040382C124817&link_ref=twitter.com_paypal__;JSUlJSUlJSU!!KAwXmIspl3H4!sCqsA64Cvg4WM0pFvEolCRowhFYAkUcs0vijyB6mjaYegubIk6k8bJWVSgGbMIKLr5Yhx8Ox6B6pn-sGmbCR$> [Instagram] <https://urldefense.com/v3/__https://www.instagram.com/paypal/?v=12C0.1&utm_source=unp&utm_medium=email&utm_campaign=RT000186&utm_unptid=2ee6a23c-3946-11ef-a1cc-3cfdfeef7e5d&ppid=RT000186&cnac=US&rsta=en_US28en-US29&cust=&unptid=2ee6a23c-3946-11ef-a1cc-3cfdfeef7e5d&calc=f801159cd6a88&unp_tpcid=requestmoney-notifications-requestee&page=main3Aemail3ART000186&pgrp=main3Aemail&e=cl&mchn=em&s=ci&mail=sys&appVersion=1.262.0&tenant_name=&xt=1455852C1040382C124817&link_ref=www.instagram.com_paypal__;JSUlJSUlJSU!!KAwXmIspl3H4!sCqsA64Cvg4WM0pFvEolCRowhFYAkUcs0vijyB6mjaYegubIk6k8bJWVSgGbMIKLr5Yhx8Ox6B6pn6lk4thN$> [Facebook] <https://urldefense.com/v3/__https://www.facebook.com/PayPalUSA?v=12C0.1&utm_source=unp&utm_medium=email&utm_campaign=RT000186&utm_unptid=2ee6a23c-3946-11ef-a1cc-3cfdfeef7e5d&ppid=RT000186&cnac=US&rsta=en_US28en-US29&cust=&unptid=2ee6a23c-3946-11ef-a1cc-3cfdfeef7e5d&calc=f801159cd6a88&unp_tpcid=requestmoney-notifications-requestee&page=main3Aemail3ART000186&pgrp=main3Aemail&e=cl&mchn=em&s=ci&mail=sys&appVersion=1.262.0&tenant_name=&xt=1455852C1040382C124817&link_ref=www.facebook.com_paypalusa__;JSUlJSUlJSU!!KAwXmIspl3H4!sCqsA64Cvg4WM0pFvEolCRowhFYAkUcs0vijyB6mjaYegubIk6k8bJWVSgGbMIKLr5Yhx8Ox6B6pn2bREGGr$> [LinkedIn] <https://urldefense.com/v3/__http://www.linkedin.com/company/1482?trk=tyah&v=1&utm_source=unp&utm_medium=email&utm_campaign=RT000186&utm_unptid=2ee6a23c-3946-11ef-a1cc-3cfdfeef7e5d&ppid=RT000186&cnac=US&rsta=en_US28en-US29&cust=&unptid=2ee6a23c-3946-11ef-a1cc-3cfdfeef7e5d&calc=f801159cd6a88&unp_tpcid=requestmoney-notifications-requestee&page=main3Aemail3ART000186&pgrp=main3Aemail&e=cl&mchn=em&s=ci&mail=sys&appVersion=1.262.0&tenant_name=&xt=1455852C1040382C124817&link_ref=company_1482__;JSUlJSUlJQ!!KAwXmIspl3H4!sCqsA64Cvg4WM0pFvEolCRowhFYAkUcs0vijyB6mjaYegubIk6k8bJWVSgGbMIKLr5Yhx8Ox6B6pn2t0SV4G$> PayPal is committed to preventing fraudulent emails. Emails from PayPal will always contain your full name. Learn to identify phishing<https://urldefense.com/v3/__https://www.paypal.com/us/webapps/mpp/security/suspicious-activity?v=1&utm_source=unp&utm_medium=email&utm_campaign=RT000186&utm_unptid=2ee6a23c-3946-11ef-a1cc-3cfdfeef7e5d&ppid=RT000186&cnac=US&rsta=en_US28en-US29&cust=&unptid=2ee6a23c-3946-11ef-a1cc-3cfdfeef7e5d&calc=f801159cd6a88&unp_tpcid=requestmoney-notifications-requestee&page=main3Aemail3ART000186&pgrp=main3Aemail&e=cl&mchn=em&s=ci&mail=sys&appVersion=1.262.0&tenant_name=&xt=1455852C1040382C124817&link_ref=security_suspicious-activity__;JSUlJSUlJQ!!KAwXmIspl3H4!sCqsA64Cvg4WM0pFvEolCRowhFYAkUcs0vijyB6mjaYegubIk6k8bJWVSgGbMIKLr5Yhx8Ox6B6pn7KvUAsq$> Please don't reply to this email. To get in touch with us, click Help & Contact<https://urldefense.com/v3/__https://www.paypal.com/selfhelp/home?v=1&utm_source=unp&utm_medium=email&utm_campaign=RT000186&utm_unptid=2ee6a23c-3946-11ef-a1cc-3cfdfeef7e5d&ppid=RT000186&cnac=US&rsta=en_US28en-US29&cust=&unptid=2ee6a23c-3946-11ef-a1cc-3cfdfeef7e5d&calc=f801159cd6a88&unp_tpcid=requestmoney-notifications-requestee&page=main3Aemail3ART000186&pgrp=main3Aemail&e=cl&mchn=em&s=ci&mail=sys&appVersion=1.262.0&tenant_name=&xt=1455852C1040382C124817&link_ref=selfhelp_home__;JSUlJSUlJQ!!KAwXmIspl3H4!sCqsA64Cvg4WM0pFvEolCRowhFYAkUcs0vijyB6mjaYegubIk6k8bJWVSgGbMIKLr5Yhx8Ox6B6pnwLLjLRv$>. Not sure why you received this email? Learn more<https://urldefense.com/v3/__https://www.paypal.com/us/smarthelp/article/why-am-i-receiving-emails-from-paypal-when-i-dont-have-an-account-faq4172?v=1&utm_source=unp&utm_medium=email&utm_campaign=RT000186&utm_unptid=2ee6a23c-3946-11ef-a1cc-3cfdfeef7e5d&ppid=RT000186&cnac=US&rsta=en_US28en-US29&cust=&unptid=2ee6a23c-3946-11ef-a1cc-3cfdfeef7e5d&calc=f801159cd6a88&unp_tpcid=requestmoney-notifications-requestee&page=main3Aemail3ART000186&pgrp=main3Aemail&e=cl&mchn=em&s=ci&mail=sys&appVersion=1.262.0&tenant_name=&xt=1455852C104038*2C124817&link_ref=article_why-am-i-receiving-emails-from-paypal-when-i-dont-have-an-account-faq4172__;JSUlJSUlJQ!!KAwXmIspl3H4!sCqsA64Cvg4WM0pFvEolCRowhFYAkUcs0vijyB6mjaYegubIk6k8bJWVSgGbMIKLr5Yhx8Ox6B6pnzXv2elm$> Copyright 1999-2024 PayPal, Inc. All rights reserved. PayPal is located at 2211 N. First St., San Jose, CA 95131. PayPal RT000186:en_US(en-US):1.3.0:f801159cd6a88 ---------- End Reported Email ----------
Attachments:	Headers.txt

Headers

Key	Value
Received	from PRDPWCEXCH02.lrmcad.lrmcnet.com ([172.23.129.66]) by
15.2.1544.11 via Mailbox Transport; Wed, 3 Jul 2024 13	08:15 -0400
15.2.1544.11; Wed, 3 Jul 2024 13	08:14 -0400
15.02.1544.011; Wed, 3 Jul 2024 13	08:14 -0400
Content-Type	application/ms-tnef; name="winmail.dat"
Content-Transfer-Encoding	binary
From	Lauren T Haynes <Lauren.Haynes@myLRH.org>
To	IT Tech Sec <ITTEchSec@myLRH.org>
Subject	Potential Phish: You've got a money request
Thread-Topic	Potential Phish: You've got a money request
Thread-Index	AQHazWRCJwJmpzcjsEuZNUwZUlHhMbHlPGWS
Date	Wed, 3 Jul 2024 13:08:14 -0400
Message-ID	<0ad2cb698e084c38a88569527f2bdc74@myLRH.org>
References	<A9.E4.04374.52C55866@ccg01mail01>
In-Reply-To	<A9.E4.04374.52C55866@ccg01mail01>
Accept-Language	en-US
Content-Language	en-US
X-MS-Has-Attach	yes
X-MS-Exchange-Organization-SCL	0
X-MS-TNEF-Correlator	<0ad2cb698e084c38a88569527f2bdc74@myLRH.org>
MIME-Version	1.0
X-MS-Exchange-Organization-MessageDirectionality	Originating
X-MS-Exchange-Organization-AuthSource	PRDPWCEXCH02.lrmcad.lrmcnet.com
X-MS-Exchange-Organization-AuthAs	Internal
X-MS-Exchange-Organization-AuthMechanism	04
X-Originating-IP	[10.255.228.21]
X-MS-Exchange-Organization-Network-Message-Id	003b759e-ef93-4766-cb23-08dc9b82b9dc
Return-Path	Lauren.Haynes@myLRH.org
X-TM-AS-Product-Ver	SMEX-14.0.0.3092-9.0.1002-28506.000
X-TM-AS-Result	No-10--6.578100-8.000000
X-TMASE-MatchedRID	UEe6CCDNlZw61iGVKN35PWeDvJOKSUQcXNf9MU7aj5Ef1AdLUyG7ncSi
X-TM-AS-User-Approved-Sender	No
X-TM-AS-User-Blocked-Sender	No
X-TMASE-Result	10--6.578100-8.000000
X-TMASE-Version	SMEX-14.0.0.3092-9.0.1002-28506.000
X-TM-SNTS-SMTP	5B10BF4BF34BD8E389268EC6E78CB7FF35B94CDFEF2B2DF1B23D115B0B6D60C02000:9
X-MS-Exchange-Organization-AVStamp-Mailbox	SMEXJnq?;1944300;0;This mail has
X-MS-Exchange-Transport-EndToEndLatency	00:00:01.1527386
X-MS-Exchange-Processed-By-BccFoldering	15.02.1544.011
date	Wed, 03 Jul 2024 19:08:14 +0200

File Icon


Icon Hash:	c4e1928eacb280a2