Edit tour
Windows
Analysis Report
Urgent Secure File Transfer Notification.eml
Overview
General Information
| Sample name: | Urgent Secure File Transfer Notification.eml |
| Analysis ID: | 1544009 |
| MD5: | c9232f4a0da52524ee58b7a16670cf41 |
| SHA1: | 15282531f3d2c550f671b87591847bd4d477f9e9 |
| SHA256: | 6f6b3d9cf6ec0e8f0578bc7f2375f1ea0ab22d937fbaa3169d94c33bae60ee33 |
| Infos: |  |
 | |
Detection
| Score: | 22 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 80% |
Signatures
AI detected potential phishing Email
Creates a window with clipboard capturing capabilities
Queries the volume information (name, serial number etc) of a device
Sigma detected: Office Autorun Keys Modification
Stores large binary data to the registry
Classification
- System is w10x64_ra
OUTLOOK.EXE (PID: 6400 cmdline: "C:\Progra m Files (x 86)\Micros oft Office \Root\Offi ce16\OUTLO OK.EXE" /e ml "C:\Use rs\user\De sktop\Urge nt Secure File Trans fer Notifi cation.eml " MD5: 91A5292942864110ED734005B7E005C0) 
ai.exe (PID: 6776 cmdline: "C:\Progra m Files (x 86)\Micros oft Office \root\vfs\ ProgramFil esCommonX6 4\Microsof t Shared\O ffice16\ai .exe" "268 A11A1-A4EE -42AB-86CD -DB9967D5A 7BE" "EDEB CFB7-4E5C- 4AC0-8AD8- 22EABB789D 34" "6400" "C:\Progr am Files ( x86)\Micro soft Offic e\Root\Off ice16\OUTL OOK.EXE" " WordCombin edFloatieL reOnline.o nnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)
- cleanup
⊘No yara matches
| Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): | ||
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
| Source: | Window created: | ||
| Source: | Classification label: | ||
| Source: | File created: | ||
| Source: | File created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Key value queried: | ||
| Source: | Window found: | ||
| Source: | Window detected: | ||
| Source: | Key opened: | ||
Persistence and Installation Behavior |   |
|---|
| Source: | LLM: | ||
| Source: | Key value created or modified: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | File Volume queried: | ||
| Source: | Process information queried: | ||
| Source: | Queries volume information: | ||
| Source: | Key value queried: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 1 Browser Extensions | 1 Process Injection | 1 Masquerading | OS Credential Dumping | 1 Process Discovery | Remote Services | 1 Clipboard Data | Data Obfuscation | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | 1 DLL Side-Loading | 1 DLL Side-Loading | 1 Modify Registry | LSASS Memory | 13 System Information Discovery | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 Process Injection | Security Account Manager | Query Registry | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 DLL Side-Loading | NTDS | System Network Configuration Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No contacted domains info
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 52.113.194.132 | unknown | United States | 8068 | MICROSOFT-CORP-MSN-AS-BLOCKUS | false | |
| 2.19.126.151 | unknown | European Union | 16625 | AKAMAI-ASUS | false | |
| 23.212.88.34 | unknown | United States | 16625 | AKAMAI-ASUS | false | |
| 52.109.89.18 | unknown | United States | 8075 | MICROSOFT-CORP-MSN-AS-BLOCKUS | false | |
| 52.109.89.19 | unknown | United States | 8075 | MICROSOFT-CORP-MSN-AS-BLOCKUS | false | |
| 52.168.112.67 | unknown | United States | 8075 | MICROSOFT-CORP-MSN-AS-BLOCKUS | false |
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1544009 |
| Start date and time: | 2024-10-28 17:57:06 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | defaultwindowsinteractivecookbook.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 13 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | stream |
| Analysis stop reason: | Timeout |
| Sample name: | Urgent Secure File Transfer Notification.eml |
| Detection: | SUS |
| Classification: | sus22.winEML@3/7@0/58 |
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, SgrmBroker.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 52.109.89.18, 52.109.89.19, 2.19.126.151, 2.19.126.160, 52.113.194.132
- Excluded domains from analysis (whitelisted): omex.cdn.office.net, ecs.office.com, fs.microsoft.com, prod.configsvc1.live.com.akadns.net, weu-azsc-000.roaming.officeapps.live.com, ctldl.windowsupdate.com, weu-azsc-config.officeapps.live.com, prod.roaming1.live.com.akadns.net, eur.roaming1.live.com.akadns.net, s-0005-office.config.skype.com, ecs-office.s-0005.s-msedge.net, roaming.officeapps.live.com, osiprod-weu-buff-azsc-000.westeurope.cloudapp.azure.com, login.live.com, s-0005.s-msedge.net, config.officeapps.live.com, officeclient.microsoft.com, ecs.office.trafficmanager.net, omex.cdn.office.net.akamaized.net, europe.configsvc1.live.com.akadns.net, a1864.dscd.akamai.net
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtQueryAttributesFile calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- VT rate limit hit for: Urgent Secure File Transfer Notification.eml
| Input | Output |
|---|---|
| URL: Model: claude-3-5-sonnet-latest | {
"explanation": [
"The sender domain 'access-online.com' appears suspicious and doesn't match legitimate financial institution domains",
"The email creates urgency with 'Urgent' in subject line and mentions secure file transfer to prompt immediate action",
"Generic system message format attempting to appear legitimate while providing a suspicious file download scenario"
],
"phishing": true,
"confidence": 8
} |
Is this email content a phishing attempt? Please respond only in valid JSON format:
Email content converted to JSON:
{
"date": "Mon, 28 Oct 2024 09:03:11 -0500",
"subject": "Urgent: Secure File Transfer Notification",
"communications": [
"Caution! This message was sent from outside your organization.\n\nA file from USBC.MISDELIVERY has been successfully uploaded to /HCLI/PDETLOR on the Access Online Data Exchange website and is now available to be downloaded:\n\n File Name: IC782541.XLSX\n File Size: 3.2 KB\n Received: 10/28/2024 09:03:11 AM CDT\n\nIf you need assistance, please contact the Help Desk\n\nThis file will remain in your mailbox for sixty (60) days starting today. At that point, the file will be deleted.\n\n***This is a system-generated message. For assistance, do not reply to this email. Please access the Contact Us page through Access Online. Thank you.***\n"
],
"from": "AccessOnline.DataExchange@access-online.com",
"to": "paulina.detlor@handtmann.ca"
} | |
| URL: Email Model: claude-3-haiku-20240307 | ```json
{
"contains_trigger_text": true,
"trigger_text": "A file from USBC.MISDELIVERY has been successfully uploaded to /HCLI/PDETLOR on the Access Online Data Exchange website and is now available to be downloaded:",
"prominent_button_name": "unknown",
"text_input_field_labels": [
"File Name",
"File Size",
"Received"
],
"pdf_icon_visible": false,
"has_visible_captcha": false,
"has_urgent_text": true,
"has_visible_qrcode": false
} |
 | |
| URL: Email Model: claude-3-haiku-20240307 | ```json
{
"brands": [
"USBC.MISDELIVERY",
"Access Online Data Exchange"
]
} |
|
| Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 231348 |
| Entropy (8bit): | 4.38767743099746 |
| Encrypted: | false |
| SSDEEP: | |
| MD5: | 36EB443C6E1479CD5EE9BA9DC391D0B9 |
| SHA1: | 2DBDB6DD0A6B711DE9DEC642692EBEB8D5D0269F |
| SHA-256: | D3C8A64C8A201B8A277BC3F35D5BA816F996C104CC5445C54720BF94565A6D2C |
| SHA-512: | FAF0F1FBEF183B569E42E000F8A84682542A46A5D266C3E8A4965B3356FC0E98CA1655FDC29C929A02A4E278AEE68DF6497A5456D258F77FE7C4F6E03DC813EF |
| Malicious: | false |
| Reputation: | unknown |
| Preview: |
C:\Users\user\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntities.bin
Download File
| Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 322260 |
| Entropy (8bit): | 4.000299760592446 |
| Encrypted: | false |
| SSDEEP: | |
| MD5: | CC90D669144261B198DEAD45AA266572 |
| SHA1: | EF164048A8BC8BD3A015CF63E78BDAC720071305 |
| SHA-256: | 89C701EEFF939A44F28921FD85365ECD87041935DCD0FE0BAF04957DA12C9899 |
| SHA-512: | 16F8A8A6DCBAEAEFB88C7CFF910BCCC71B76A723CF808B810F500E28E543112C2FAE2491D4D209569BD810490EDFF564A2B084709B02963BCAF6FDF1AEEC59AC |
| Malicious: | false |
| Reputation: | unknown |
| Preview: |
C:\Users\user\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntitiesUpdated.bin
Download File
| Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
| File Type: | |
| Category: | modified |
| Size (bytes): | 10 |
| Entropy (8bit): | 2.5219280948873624 |
| Encrypted: | false |
| SSDEEP: | |
| MD5: | DCF7C73E17946148ADC823044B3FD56F |
| SHA1: | 29562772CB5EC95F996A5A0EA6F444381CDF4B4D |
| SHA-256: | BB25638112E400A90D6BF215093AA3F85088006926682018504571CC83556B8C |
| SHA-512: | 0AF8A0B17F881B58D2DCB4EBA58B677B0E452B0D0507405F1314E5F9B56DF522B821BA8627ED2376DC8B1CC566F3304564CB0E1DE7CEAD8442AC51A9EDF6AB68 |
| Malicious: | false |
| Reputation: | unknown |
| Preview: |
| Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
| File Type: | |
| Category: | modified |
| Size (bytes): | 406268 |
| Entropy (8bit): | 5.938637680508547 |
| Encrypted: | false |
| SSDEEP: | |
| MD5: | 2FCF1FBD292F0F851D0BAEB8C87B6DDA |
| SHA1: | D4FAA6064C28FD3EC89565806D52A2F4B2BA3349 |
| SHA-256: | 84538A6A2B12CCA88173021EFD244500F2AB10A03D7D6FC2ADC199003BC80360 |
| SHA-512: | 6C1503529D432DB35BCED91715304A199376CC9891B0C6BEC82FCF71439CE989300BFFB6EC93C656F76C59E1034B3B16A9C7EA0C28A0559E92F16C602024395F |
| Malicious: | false |
| Reputation: | unknown |
| Preview: |
C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\0A31A525-9351-49F3-A96B-19E9DC3A5FA6
Download File
| Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 180288 |
| Entropy (8bit): | 5.291021032944116 |
| Encrypted: | false |
| SSDEEP: | |
| MD5: | 36FD7D734EFB4A1DA14919046DBF377B |
| SHA1: | C2D2C42A468AE0A50FA3A6CA5D912A4F9C124D62 |
| SHA-256: | 22698FA1F25CD7818801F5C25BB1A48527343ADCAB23B375A4DCE757D57A9BE7 |
| SHA-512: | 344D03D237132217F55EA5118A7929EE5383AF822DEA06462E20BE5A2EEB6D6170A0874F92D1808E8BE93D5CEFF6FDA9385761706444F72443891713718E424A |
| Malicious: | false |
| Reputation: | unknown |
| Preview: |
| Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4616 |
| Entropy (8bit): | 0.13760166725504608 |
| Encrypted: | false |
| SSDEEP: | |
| MD5: | 8AD387E11D945D81F64A140A4D276507 |
| SHA1: | 40053DB448CBB5EC7541E0FF3F587868E8916383 |
| SHA-256: | 9CD4BFD534B66C9586E827A0E1469ECE1636EE0165857356F2FE6D50261D2868 |
| SHA-512: | 8667094625E062440CAC1768E1B4D144C3157E11DEE94FC8F0ECB98F8F2611993CE567697CA6AF83BEC824968F331B4A0AD42D68EEC49D50761C2BCB2F37AF5C |
| Malicious: | false |
| Reputation: | unknown |
| Preview: |
| Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 30 |
| Entropy (8bit): | 1.2389205950315936 |
| Encrypted: | false |
| SSDEEP: | |
| MD5: | 123490F8FB01092E342B6056D58ED0AD |
| SHA1: | 1D74136095C2A8E36DAA598683BA9E14363F63FD |
| SHA-256: | 828A26F673311EE94A03D7DF74DCB4AA4E6E18C488FF42571978F5A2F4630DC7 |
| SHA-512: | A50E2771292F36AAD2F995AA4F06439914C58F3B40C0519A38AA3F5369F8FE887EF3117C9B2A7C2484D5B14A26C1893D2368683E58F17001DEA5AD91ADDF4F53 |
| Malicious: | false |
| Reputation: | unknown |
| Preview: |
| File type: | |
| Entropy (8bit): | 5.979090516268103 |
| TrID: |
|
| File name: | Urgent Secure File Transfer Notification.eml |
| File size: | 20'745 bytes |
| MD5: | c9232f4a0da52524ee58b7a16670cf41 |
| SHA1: | 15282531f3d2c550f671b87591847bd4d477f9e9 |
| SHA256: | 6f6b3d9cf6ec0e8f0578bc7f2375f1ea0ab22d937fbaa3169d94c33bae60ee33 |
| SHA512: | 4fd9729dfa2a08b08db18893efc1f302f12ebe934543de99323673fb1dd4c4a3aa71861b49a2a696b58cc8189dea7fff72f08d8eb173038c5cb81c7329aabd83 |
| SSDEEP: | 192:Gn8xyrYSubjjcYSA8VcWzzARpce1xBRHdiCGRuirqa31JzqvlTeM1QgU54Smn9Ea:xXc6szARpcABRAiY1QJlBJK7IREVb0 |
| TLSH: | EC92C8800A161422FA5A09941E443D0E5151FA4BE9FADEC13AEFB4BA5D8F13F3F16B49 |
| File Content Preview: | Received: from YQBP288MB0882.CANP288.PROD.OUTLOOK.COM (2603:10b6:c01:90::18).. by YT2P288MB0153.CANP288.PROD.OUTLOOK.COM with HTTPS; Mon, 28 Oct 2024.. 14:05:41 +0000..Received: from YT4P288CA0021.CANP288.PROD.OUTLOOK.COM (2603:10b6:b01:d4::23).. by YQBP2 |
| Subject: | Urgent: Secure File Transfer Notification |
| From: | AccessOnline.DataExchange@access-online.com |
| To: | paulina.detlor@handtmann.ca |
| Cc: | |
| BCC: | |
| Date: | Mon, 28 Oct 2024 09:03:11 -0500 |
| Communications: |
|
| Attachments: |
| Key | Value |
|---|---|
| Received | from mail.svr-internal.com ([127.0.0.1]) by mailc12.usbank.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 28 Oct 2024 09:03:12 -0500 |
| Authentication-Results | spf=pass (sender IP is 104.47.75.173) smtp.mailfrom=access-online.com; dkim=fail (signature did not verify) header.d=access-online.com;dmarc=pass action=none header.from=access-online.com;compauth=pass reason=100 |
| Received-SPF | Pass (protection.outlook.com: domain of access-online.com designates 170.135.101.28 as permitted sender) receiver=protection.outlook.com; client-ip=170.135.101.28; helo=mailc13.accountreply.com; pr=C |
| X-Sophos-Product-Type | Mailflow |
| X-Sophos-Email-ID | ed8e16a2feea4e5b97be4ee7616f4393 |
| Authentication-Results-Original | spf=pass (sender IP is 170.135.101.28) smtp.mailfrom=access-online.com; dkim=pass (signature was verified) header.d=access-online.com;dmarc=pass action=none header.from=access-online.com;compauth=pass reason=100 |
| DKIM-Signature | v=1; a=rsa-sha256; c=simple/simple; d=access-online.com; i=@access-online.com; q=dns/txt; s=USB1; t=1730124192; x=1761660192; h=date:from:to:message-id:subject:mime-version: content-transfer-encoding; bh=v8rgpek9cFUF9kYNIGOCvJffSohxMO83B7GY/4ke7dw=; b=mroNai+M5TDb3bTLCkxNwS8iKUabsnE3Ch+ukfDpriot6phGtDTJwA/I 0h0o5DhJmqd/HmEoPrXqFAxH+VQt3hwL17BLUM+MqXPq4GdIhAQkJMVyV cQ/xbCgLVk0FOUxblsgxKBsMthYg9T44hZ98yqJAQNgZrUag33Y1SPdRr AzZmVXccwK1FtF3cyeblqxtjp8iqG9SZl8i9qlI/Hw1OM8GoaUuVvpKgO m57/CSSnJ8d8y4kqmIgo8JLLvfMrCJjxrWYm0iplDdy0l0c4+ml/7M28l g1nR6IVDwNeozf4QRVWEVbU2pOYA5ldCzZ7kzO2lurTj46MdQ6vKgTBeN w==; |
| X-CSE-ConnectionGUID | W20WlB3ITYeAFnC8s4pDaA== |
| X-CSE-MsgGUID | RbHWRaa/R4CiSrdJXEJ+NA== |
| X-LoopCount3 | from 156.36.174.206 |
| X-LoopCount2 | from 156.36.216.76 |
| X_fileSizes | None |
| X-SenderGroup | RELAYLIST |
| X-MailFlowPolicy | $RELAYED |
| X-MID | 174980948 |
| X-EnvelopeSender | AccessOnline.DataExchange@access-online.com |
| X-MessageSize | 1123 |
| X-Loop1 | 1 |
| X-DSDR | YES |
| Date | Mon, 28 Oct 2024 09:03:11 -0500 |
| From | AccessOnline.DataExchange@access-online.com |
| To | paulina.detlor@handtmann.ca |
| Message-ID | <1518797626.13976.1730124191742@vmaksa69901dbc> |
| Subject | Urgent: Secure File Transfer Notification |
| Content-Type | text/plain; charset="UTF-8" |
| Content-Transfer-Encoding | quoted-printable |
| X-EOPAttributedMessage | 1 |
| X-EOPTenantAttributedMessage | 42294ed2-c4ff-4332-8e2e-a2dc7ee0537a:1 |
| X-MS-TrafficTypeDiagnostic | YT2PEPF000001CB:EE_|YQBP288MB0488:EE_|YT2PEPF000001C9:EE_|YQBP288MB0882:EE_|YT2P288MB0153:EE_ |
| X-MS-Office365-Filtering-Correlation-Id | 3606aa2e-3b8a-4fd1-45d8-08dcf7599b00 |
| X-Microsoft-Antispam-Untrusted | BCL:4; ARA:13230040|2092899012|3072899012|5062899012|12012899012; |
| X-Microsoft-Antispam-Message-Info-Original | tZt1EkRIs8ux9GOxRPdnj6XGjIFkNvdql2K3y18bqRiIZP6u5QjTSRH/zm0Umb3FqxcOje1AYVqXPy+27smrujZH/MvZAslL5GZABvQsTv4FYP1Xm/ctobn4i1GeUXyEkewmxmFfbjpbsYqGRhQEkFoYGGTq5iPTkUFonG1JhPOZGRMSVkSohrJ5dO+o1rZ4Bxmc2zfaslkUH+b+uITQ2Fz0XRdlW2hKVFqdFGH/yd31NFguxJv/G6swid6saXXk93IANCoaHGxkajBu3wmbpRu3Auhq0V2S781sHSJRneTfUiAq7iaZjryBHyHEDOR5470Nj5RIDT0rcdz4Y0K8VFR6h84/v5GNcb/n/gPszDEg3hs7oWQevPZUSKgRW1+qTmAH6niunxPDlBbP+BnzX1KEKa8XCmX0cUFTrov+HPz8dT/Sx4vlEmTWQH39q8s01BhbkC6ewzoZRs+F81LpX9hsG8+AwCBrztcoipMDYJEG7iXwNwkvpEuwc1ZNq+5UKdfGXg3OJxLv8FX68AtATPgej4UTUzC3OTBmP3kVtOqe2OjgiVfDk3XkIc5bcPT1rqKcvU1QWyzR6u6IbG2GbUaAKzpp2JCS4d57dyLSfHZwQKJFuM2ofIHlzk354wcwjV3tnGCuhe5QNkU1fCPCEQ2JHTsr7ywx9WxZ5PPuCvvxgdzmJfFdaHKuV4Li2lkemD/ttSgi8XXsfHP2mHlk4hZWomSqTJxKNOjvx8PHkoyYpaYHv4IGX9lZGjCUwiynZ0hfT1BxsbDLZnq7mdtev2vqsBt9X0fGV1gjWab0Cffc1lVf41/3HkT89GrID9tyDzTmve7WpOx6OG1CHeqZ1ZuPDMw8jPOKj2DfWHPXdNLdlwO0JEdv/bIr4yRvn/WLtykRUQ7hE2gJhrXG2vvcXkYfkjofEaRaZeKhlniDU2MRdsct9d9hrFFIeDzsDBa9uIfpF9pSN2JNyUH//ZJ/2TwgSlVCWVfeZSvIV7LV6OwgqbG01PhDYp/0bD9t65FqKk85OYHVZKe3RDPfepMq4xWmaxe7pgS4+L4ymPRix0Q026L8LiJQWbFqbaxi86mHWuHwm/HXH+TbJmwDoL3/RfShx0UEMB21o+fw+I1jf8Km3ulHn4N650tLIhzyfkwVaRLdZ2FsCiYA5BS2iMS5ayU9x9A1FpBTkPXkz7Z/i6DIIpXg2hSmdKxodU+xiKGsvaES93s0E0UkyBO733qireYEqkMMrlV7zOXWo4HMrVuFAKLq/lD+PcAPPzWQfZM51/sS/nc2ZoBQa8WHxYqvlTEFlQgaqRfFuIcKqwae5GXvqQFn9Z7u9/4auyaZqiQPxy3wU7VY8nACe2etq8FwqSTjj/bWneD27JjCNUAc8Kk7vdS1nM0MSgV03SbP7FVUh0k1xyf0B3oKtGHxVb58MytejV/nnZSvCez5dXCA/1bcgQE3PUXvHV5aFt0AUzdadi7A2uiI9tS3feTEqxhCu3Ak/1xBcnVUuPqwKXxtQfNWukwtoJulf+P1AFll9FYf5KXpuEjVFWFQHXGQsO/YjC8EokQ61jBTe++9xt/xcfYuNFyZQAHo5uMF3RTUgO5Bp/p2fICzfIJa+VEN4e6jyw6+3tdxwna4sDQE1GbDRhn0Ah4O2sSiuL1g8uhbnr8muTunhHadGZvw1Z74NS4l6vqVn7NCZSYezmNXvZMhtkVVYi/JV8N68QQkGUSDeiy5g/AOWD7MS1iX2pAMZXKe59tMAEBSm+kSSCG4TjT5qimMSrrE6KG+Nqg1aKfetYl6UlFh+OJJhS5goYEcE9RMTh/t0GXqFwJ4bjheSghYbPsLqgepOJNla9uvEbollqkNta4eQy0JK0/W3P1mW2UwFQbiGfxMraPvk22vmhchPEKpijoFsuLys0khPYfEAw0BiiAnJtotaFBM9Ct1CgzJrpfgqDk2NDZIIv74WU1hYqZRYmn/DFCAQykJTwTn/vWXcWBUVWe6J4134kUqNoL8BRskb977ULEMHE5niqj9LDgjj4Ev/Ari/mnWEBL3Cb6QKQon20/RelEpvnscVGP8TyDAoVkVOlOC3iIBQmLYiwo= |
| X-Forefront-Antispam-Report-Untrusted | CIP:170.135.101.28; CTRY:US; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:mailc13.accountreply.com; PTR:mailc13.accountreply.com; CAT:NONE; SFS:(13230040)(2092899012)(3072899012)(5062899012)(12012899012); DIR:INB; |
| X-MS-Exchange-Transport-CrossTenantHeadersStamped | YQBP288MB0882 |
| X-Sophos-Email-Scan-Details | 27140d1e1540510e7e771140550e7d75 |
| X-Sophos-Email | [us-west-2] Antispam-Engine: 6.0.0, AntispamData: 2024.10.28.133017 |
| X-Sophos-SenderHistory | ip=170.135.101.28, fs=15040084, fso=63867538, da=223582944, mc=1786, sc=57, hc=1729, sp=3, re=6, sd=3, hd=17 |
| X-Sophos-DomainHistory | d=access-online.com, fs=79070230, fso=79070230, da=84325768, mc=37475, sc=83, hc=37392, sp=0, re=0, sd=0, hd=30 |
| X-LASED-From-ReplyTo-Diff | From:<handtmann.ca>:13 |
| X-LASED-SpamProbability | 0.130108 |
| X-LASED-Hits | AUTH_RES_PASS 0.000000, BODYTEXTP_SIZE_3000_LESS 0.000000, BODY_SIZE_1000_LESS 0.000000, BODY_SIZE_2000_LESS 0.000000, BODY_SIZE_5000_LESS 0.000000, BODY_SIZE_500_599 0.000000, BODY_SIZE_7000_LESS 0.000000, CS_HDR_RND_1 0.100000, CTE_QUOTED_PRINTABLE 0.000000, CT_TEXT_PLAIN_UTF8_CAPS 0.000000, DATE_TZ_NA 0.000000, DKIM_SIGNATURE 0.000000, DQ_S_H 0.000000, FRAUD_X3 1.000000, HTML_00_01 0.050000, HTML_00_10 0.050000, INBOUND_SOPHOS 0.000000, INBOUND_SOPHOS_TOP_REGIONS 0.000000, INVALID_MSGID_NO_FQDN 0.000000, KNOWN_MTA_TFX 0.000000, NO_CTA_URI_FOUND 0.000000, NO_FUR_HEADER 0.000000, NO_REAL_NAME 0.000000, NO_URI_FOUND 0.000000, NO_URI_HTTPS 0.000000, SXL_IP_TFX_WM 0.000000, TRANSACTIONAL 0.000000, __AUTH_RES_DKIM_PASS 0.000000, __AUTH_RES_DMARC_PASS 0.000000, __AUTH_RES_PASS 0.000000, __BEC_SUBJ_KEYWORD 0.000000, __BODY_NO_MAILTO 0.000000, __CT 0.000000, __CTE 0.000000, __CT_TEXT_PLAIN 0.000000, __DKIM_ALIGNS_2 0.000000, __DQ_D_H 0.000000, __DQ_IP_FSO_LARGE 0.000000, __DQ_S_DOMAIN_HD_10_P 0.000000, __DQ_S_DOMAIN_HD_1_P 0.000000, __DQ_S_DOMAIN_HD_20_P 0.000000, __DQ_S_DOMAIN_HD_30 0.000000, __DQ_S_DOMAIN_HD_5_P 0.000000, __DQ_S_DOMAIN_HIST_1 0.000000, __DQ_S_DOMAIN_MC_100_P 0.000000, __DQ_S_DOMAIN_MC_10_P 0.000000, __DQ_S_DOMAIN_MC_1K_P 0.000000, __DQ_S_DOMAIN_MC_1_P 0.000000, __DQ_S_DOMAIN_MC_50_P 0.000000, __DQ_S_DOMAIN_MC_5_P 0.000000, __DQ_S_DOMAIN_RE_0 0.000000, __DQ_S_DOMAIN_RE_49_L 0.000000, __DQ_S_DOMAIN_RE_4_L 0.000000, __DQ_S_DOMAIN_RE_99_L 0.000000, __DQ_S_DOMAIN_RE_9_L 0.000000, __DQ_S_DOMAIN_SC_10_P 0.000000, __DQ_S_DOMAIN_SC_1_P 0.000000, __DQ_S_DOMAIN_SC_5_P 0.000000, __DQ_S_DOMAIN_SP_0_P 0.000000, __DQ_S_HIST_1 0.000000, __DQ_S_HIST_2 0.000000, __DQ_S_IP_HD_10_P 0.000000, __DQ_S_IP_MC_100_P 0.000000, __DQ_S_IP_MC_10_P 0.000000, __DQ_S_IP_MC_1K_P 0.000000, __DQ_S_IP_MC_1_P 0.000000, __DQ_S_IP_MC_5_P 0.000000, __DQ_S_IP_RE_49_L 0.000000, __DQ_S_IP_RE_99_L 0.000000, __DQ_S_IP_RE_9_L 0.000000, __DQ_S_IP_SC_10_P 0.000000, __DQ_S_IP_SC_1_P 0.000000, __DQ_S_IP_SC_5_P 0.000000, __DQ_S_IP_SD_1_P 0.000000, __DQ_S_IP_SD_3_P 0.000000, __FILESHARE_PHRASE 0.000000, __FRAUD_COMMON 0.000000, __FRAUD_REPLY 0.000000, __FRAUD_SUBJ_A 0.000000, __FRAUD_URGENCY 0.000000, __FROM_DOMAIN_NOT_IN_BODY 0.000000, __FROM_NAME_NOT_IN_ADDR 0.000000, __FROM_NAME_NOT_IN_BODY 0.000000, __HAS_FROM 0.000000, __HAS_MSGID 0.000000, __HAS_X_FF_ASR 0.000000, __HAS_X_FF_ASR_CAT 0.000000, __HAS_X_FF_ASR_SFV 0.000000, __INBOUND_SOPHOS_US_WEST_2 0.000000, __JSON_HAS_MODELS 0.000000, __JSON_HAS_SCHEMA_VERSION 0.000000, __JSON_HAS_SENDER_AUTH 0.000000, __JSON_HAS_TENANT_DOMAINS 0.000000, __JSON_HAS_TENANT_ID 0.000000, __JSON_HAS_TENANT_SCHEMA_VERSION 0.000000, __JSON_HAS_TENANT_VIPS 0.000000, __JSON_HAS_TRACKING_ID 0.000000, __MIME_BOUND_CHARSET 0.000000, __MIME_TEXT_ONLY 0.000000, __MIME_TEXT_P 0.000000, __MIME_TEXT_P1 0.000000, __MIME_VERSION 0.000000, __MSGID_DOMAIN_NOT_IN_HDRS 0.000000, __MTHREAT_0 0.000000, __MTL_0 0.000000, __NO_HTML_TAG_RAW 0.000000, __PHISH_SPEAR_SUBJECT 0.000000, __PHISH_SPEAR_SUBJ_ALERT 0.000000, __PHISH_SPEAR_SUBJ_PREDICATE 0.000000, __PHISH_SPEAR_TEAM 0.000000, __RCVD_PASS 0.000000, __SANE_MSGID 0.000000, __SCAN_DETAILS 0.000000, __SCAN_DETAILS_SANE 0.000000, __SCAN_DETAILS_TL_0 0.000000, __STOCK_PHRASE_24 0.000000, __SUBJ_TRANSACTIONAL 0.000000, __SUBJ_TR_GEN 0.000000, __TO_MALFORMED_2 0.000000, __TO_NO_NAME 0.000000, __URI_NO_MAILTO 0.000000, __X_FF_ASR_SCL_NSP 0.000000, __X_FF_ASR_SFV_NSPM 0.000000 |
| X-LASED-Impersonation | False |
| X-LASED-Spam | NonSpam |
| X-Sophos-MH-Mail-Info-Key | NFhjWnN2M0puY3paYzZILTE3Mi4xNy4yLjMw |
| Return-Path | AccessOnline.DataExchange@access-online.com |
| X-MS-Exchange-Organization-ExpirationStartTime | 28 Oct 2024 14:05:40.4404 (UTC) |
| X-MS-Exchange-Organization-ExpirationStartTimeReason | OriginalSubmit |
| X-MS-Exchange-Organization-ExpirationInterval | 1:00:00:00.0000000 |
| X-MS-Exchange-Organization-ExpirationIntervalReason | OriginalSubmit |
| X-MS-Exchange-Organization-Network-Message-Id | 3606aa2e-3b8a-4fd1-45d8-08dcf7599b00 |
| X-MS-Exchange-Organization-MessageDirectionality | Incoming |
| X-MS-Exchange-SkipListedInternetSender | ip=[104.47.75.173];domain=CAN01-YT3-obe.outbound.protection.outlook.com |
| X-MS-Exchange-ExternalOriginalInternetSender | ip=[104.47.75.173];domain=CAN01-YT3-obe.outbound.protection.outlook.com |
| X-MS-Exchange-Transport-CrossTenantHeadersStripped | YT2PEPF000001C9.CANPRD01.PROD.OUTLOOK.COM |
| X-MS-PublicTrafficType | |
| X-MS-Exchange-Organization-AuthSource | YT2PEPF000001C9.CANPRD01.PROD.OUTLOOK.COM |
| X-MS-Exchange-Organization-AuthAs | Anonymous |
| X-MS-Office365-Filtering-Correlation-Id-Prvs | c32d37ef-9400-4837-83b6-08dcf75942a8 |
| X-MS-Exchange-Organization-SCL | -1 |
| X-Microsoft-Antispam | BCL:4;ARA:13230040|3072899012|5062899012|82310400026|12012899012|2092899012|35042699022|2040899013; |
| X-Forefront-Antispam-Report | CIP:198.154.181.199;CTRY:CA;LANG:en;SCL:-1;SRV:;IPV:NLI;SFV:SKN;H:CAN01-YT3-obe.outbound.protection.outlook.com;PTR:mail-yt3can01lp2173.outbound.protection.outlook.com;CAT:NONE;SFS:(13230040)(3072899012)(5062899012)(82310400026)(12012899012)(2092899012)(35042699022)(2040899013);DIR:INB; |
| X-MS-Exchange-CrossTenant-OriginalArrivalTime | 28 Oct 2024 14:05:40.1904 (UTC) |
| X-MS-Exchange-CrossTenant-Network-Message-Id | 3606aa2e-3b8a-4fd1-45d8-08dcf7599b00 |
| X-MS-Exchange-CrossTenant-Id | 42294ed2-c4ff-4332-8e2e-a2dc7ee0537a |
| X-MS-Exchange-CrossTenant-AuthSource | YT2PEPF000001C9.CANPRD01.PROD.OUTLOOK.COM |
| X-MS-Exchange-CrossTenant-AuthAs | Anonymous |
| X-MS-Exchange-CrossTenant-FromEntityHeader | Internet |
| X-MS-Exchange-Transport-EndToEndLatency | 00:00:01.7853924 |
| X-MS-Exchange-Processed-By-BccFoldering | 15.20.8093.014 |
| X-Microsoft-Antispam-Mailbox-Delivery | ucf:0;jmr:0;auth:0;dest:I;ENG:(910001)(944506478)(944626604)(920097)(930097)(140003); |
| X-Microsoft-Antispam-Message-Info | 9MjStaYFd4m1Mvqqd38bJiFW7KyDdXAqDi11mR1JZvDQJhe7V8BSRR2hcSB+MZu0sibGhTY5qcUuZJuQMypGqy/bqGMyU5VyejFylkYVIXcLIGsGfiH6v4vXwx2HHLjO8054UtyJx4wNpSU0eRfrcswPg8C5hUSiW67hvyrvZxFLzr/BCj3XE8DaUmyUFtPToOt6LTeQ3p7gsXwZ7n1Vbtd1ehxdpLBQsOlieRnrPqlrnOgomdz4kl38Qvv8z6XSlhTsJdLcJ+ks7K3gljFEBh3e0v3vFeEE8tvdsMcg32aSkA9kOc2SJ1TjNAVhq6SghMoaLTcrf+b29KsE4gxFAmrqzV6s4xss+jKZgvek2nbgXvNj6tR28MMwhrDZ5oee7fyYeU5Kf59tYrI+PGz9wQiS7/wboO0ibEgrDjldLONcKdmRhcEYouuLlmwBZMvpbhoCWag/rDv/h3Jjep3eb1TkyQhbHkKd3q2JwTR9q2lTiTwr+NbOFpT3+86fyam4dBbMqy2OaYtsvdJ2bUIZb9rzq9dwZOfiSDHIq1gIudMQNzNV1REfmprLaSTdg14znQ1Gx6qc0wjKnwu/J0V6vzu6Toue382FhF4rBSgOR5vF8RkbPWYnpUX5qrUXA3yT6H7zILrvdmFvAjg0/RfEnsbY5XlVUQsMA9zSE28fOsBtYKFmgGZNBzZQk1OyQ7Weqq/B3obh5p+Lo2AkU+4XEBHYQ6jdlcJCmsJQFOn9XmIoPKO89JZWunOvFsGe7V4ZBoCK2K3f5JpGs2wZ9x1skBtU3mLKbo2L0OrFUDVP1MR3lD8HuS9XpKbKHXQuBdZekywXDzNs0kUIjnsYZfB7kxYklgS8gC7jR2xDYtId3wCSTWdaQfSBmNPn5kY9wC7PXDw/H21fcptKFvzi2aWb7NZembRkkpDZT1sg2sAdh+9oJOiumfN1+tSsTwo0DgQWh3I7bAOwXmKAPqInNbQMU+rJj/1Qw7lVZMniqThKPX+7FfJs6ZuU54tscuaHK+6Gxc+VzKrf9Z0Sl6PBhdITVVbhXKF/n4IH6eFf3AWvVzxnwIL34d+224QW2Cr93sht/tNiBWPtpFdErmqjIqgLNh0E4Z0eeVp8fpbOGn64fVkX4o9chsrgWcVj1y1mWg4DyrvG2VgtTdrNPIBDvmvDNz1i3r93lw6FfyCOLuEaYXEcCcmHCyVMUD6QfOVc0Q6b4l53y3GMNP23MgHZKugEIkVAJCGWUzVRd0tbVT64t6NbBQ0ekvmUxhGilvHgKzPiBB8mVNntwTCmEZeveEGAJogLJcnKTs+cI5CtjcmFE1BHXipRL7O5ZZXhT5kDqdWBmLkC7Tq7ixHiy+fpT4d3bfefc01+peIBs/pm4rmc8kaAoHFLYkD6UsusVe0X/VCcVFNW13V9wA/R90R0uBlhFCt5r+fUB0IOdynlDeZu1akTmX20RfDEPQORMGLrnyfX2eBs/bJapQYA9w33VYWTOTUVK6Ri7Y69IVW3Ir7tz3AOFI4IIcfpJ63hSTDubELQsA6sSAyHWLKEoZIN6q1Q3GD9SETCiHH5xSv0HWQuLzPGX1/4FNLIU9gCS5SWbPAiRDNqRU04pDSG/Y0ZcAxAntdVOKrouSMnpR/3+bwq1abuqhy1HRRrLe/ulobJHL4TJrDk9q4yike9yU4fvI1T5J9TOdeRAHpXBN9DbpBItQ4BII/XD+06ZR8DEUSV8LxWBGX7E8oJlHGIU+ah9ioLebXrckCQkQWKdaX2Fj03C93wdEp2RHOCQZu4jpSPhOELbH25iUfbg3afZ8d28srdIUFnOflqu/aKs806M77yW4UijZ/5D5AVlcKFWMa2VzNdz2hlctAysvsuIJBAp79yq7c061/GNWQbp5p/DM3K/CKa8oNNLwIk39aF55R0sH1QuevTnUOUP7oUvbV7Jqdx8o8/jhuw+tUbRDC0BMKQ7NeEHReSI5dDXmpebITL1ywsxj1nX99EG65UmmpDZErB1DkzN9z8HF/s92EdNO5W4XBAMM1h7bR1NChPGtjrqCl6BybI1jfV4eB+QbCMvZ4n8sZYH/CJ1m/k9nWTYrB9N+CkBmaPWaHMpnfdpx5nbapzbAp9FZs+XwQ49YNQhUgBk1FH98CFEu5hd7PPxb+rFu6dJHC16YN7nk/87m5NLr7xntLq0t0e+P4l3de+45znFjvVV3CocniQtKb5+FIDs3EBIlWJGJV2S4Xg0mvuTfG+GZPEE3a2M+yEgFnDBYg0oVOwtw9PL9iDULHHaPcdG58ihba6ZncKgbrbD8bHyFDHOm6nQBJDlM1vmp527lPoQg== |
| MIME-Version | 1.0 |
 | |
| Icon Hash: | 46070c0a8e0c67d6 |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node