Windows Analysis Report
Fw Action required Review access by 14 November 2024.msg

• EGA enabled

• Found application associated with file extension: .msg

{
    "explanation": [
        "The email claims to be from Microsoft Security but uses urgency and pressure tactics with a deadline to review access",
        "The links in the email are redirected through Sophos protection, which is unusual for legitimate Microsoft communications",
        "The email contains inconsistencies in branding, mixing Azure AD and Microsoft Entra ID terminology in a suspicious way"
    ],
    "phishing": true,
    "confidence": 8
}

{
    "date": "Wed, 30 Oct 2024 14:16:12 +0100", 
    "subject": "Fw: Action required: Review access by 14 November 2024", 
    "communications": [
        "looks phishy\n\n\nAnees Modan\n\n \n\nHead of Core Business Systems\n\n \n\nW: cardfactory.co.uk\n\n \n\n\n\n \n\nThis email is for the intended recipient only and is confidential. If this email has been misdirected, please let the sender know and delete it. Any disclosure, copying, distribution or other use is prohibited. Although we take great care to protect our network from computer viruses, we accept no responsibility for mail-borne viruses and recommend that you scan the email and its attachments. If you do find any virus please let us know so that we may take appropriate action. For the legal protection of our business any email sent or received by us may be monitored or intercepted. Sportswift Limited trading as cardfactory company number 03493972, registered in England and Wales and  whose registered office is Century House, Brunel Road, Wakefield 41 Industrial Estate, Wakefield, West Yorkshire, WF2 0XG.\n\n \n\n________________________________\n\n", 
        "From: Microsoft Security <MSSecurity-noreply@microsoft.com>\nSent: Thursday, October 17, 2024 11:29 AM\nTo: Anees Modan <Anees.Modan@cardfactory.co.uk>\nSubject: Action required: Review access by 14 November 2024 \n \nReminder: Confirm your need for access. Azure Active Directory is now Microsoft Entra ID. Learn More. Please review Your Microsoft 365 Guest Account in SAP SE: Please review by 14 November 2024 to con \nCAUTION: This email originated from outside of the organisation. If in doubt please use the report message button to Security.\t \nsophospsmartbannerend \nReminder: Confirm your need for access.                                                                                                                                                                                                                                                                      \n <https://aadcdn.msftauthimages.net/c1c6b6c8-6apefqgxjmqyqv1py-27zisoqhbqzg27hafx-dvsstu/logintenantbranding/0/bannerlogo?ts=636701132408700000> \t\t\n <https://images.ecomm.microsoft.com/cdn/mediahandler/azure-emails-templates/production/shared/images/templates/shared/images/icons/status-info-gray.png> \tAzure Active Directory is now Microsoft Entra ID. Learn More. <https://eu-west-1.protection.sophos.com?d=aka.ms&u=aHR0cHM6Ly9ha2EubXMvRW50cmFJRA==&p=m&i=NjVjNTg4NDM3NThkMjYzMWU1N2QyOWJl&t=bHBZTzdvSi9kM0NUcEhCYTQ3d0Nwb0daT1hjRTUrSksva2dtbTBWK2FUUT0=&h=022acead68fc4a3d9ebac3211f0212e0&s=AVNPUEhUT0NFTkNSWVBUSVYgfuMvzoLjIbPfdW7whZuSxp9XaiC50iQQmyKIVGzn-qHent-BP_63qD7_3k6v2xY> \t \n\t\n\nPlease review Your Microsoft 365 Guest Account in SAP SE:\n\n\t\nPlease review by 14 November 2024 to confirm your continued need for access.\n\nTo continue having access to your Microsoft 365 Guest Account at SAP SE, please click the Review access button below and follow the steps to confirm your account (MFA required). If you deny or dont respond in time your Guest account will be deactivated.\n\nLearn more about reviewing your access. <https://eu-west-1.protection.sophos.com?d=microsoft.com&u=aHR0cHM6Ly9kb2NzLm1pY3Jvc29mdC5jb20vZW4tZ2IvYXp1cmUvYWN0aXZlLWRpcmVjdG9yeS9hY3RpdmUtZGlyZWN0b3J5LWF6dXJlLWFkLWNvbnRyb2xzLWhvdy10by1yZXZpZXcteW91ci1hY2Nlc3M=&p=m&i=NjVjNTg4NDM3NThkMjYzMWU1N2QyOWJl&t=a3Z1ZmkrZjRlaUNVWmlkV05iWTh2R1BJQndkMHcwWk1QVXZ2MHpmeFhybz0=&h=022acead68fc4a3d9ebac3211f0212e0&s=AVNPUEhUT0NFTkNSWVBUSVYgfuMvzoLjIbPfdW7whZuSxp9XaiC50iQQmyKIVGzn-qHent-BP_63qD7_3k6v2xY> \n\n\t\nReview access > <https://eu-west-1.protection.sophos.com?d=microsoft.com&u=aHR0cHM6Ly9teWFjY2Vzcy5taWNyb3NvZnQuY29tL3NhcC5vbm1pY3Jvc29mdC5jb20jL2FjY2Vzcy1yZXZpZXdzL2EyYTRmYjJjLThjMDgtNGJkMy1iNDdkLWZkMjhmMmFkYTU3OQ==&p=m&i=NjVjNTg4NDM3NThkMjYzMWU1N2QyOWJl&t=dHRBVGRvZ0RoeTYvbE9OWS92YXYxaHBCQ2J1cFNZQUpoUlZrdTJKRWpjUT0=&h=022acead68fc4a3d9ebac3211f0212e0&s=AVNPUEhUT0NFTkNSWVBUSVYgfuMvzoLjIbPfdW7whZuSxp9XaiC50iQQmyKIVGzn-qHent-BP_63qD7_3k6v2xY> \t \n\t\nWant to try our new experience (preview)? Click Here\n\n\t\nPrivacy Statement <https://eu-west-1.protection.sophos.com?d=microsoft.com&u=aHR0cHM6Ly9nby5taWNyb3NvZnQuY29tL2Z3bGluay8_TGlua0lkPTUyMTgzOQ==&p=m&i=NjVjNTg4NDM3NThkMjYzMWU1N2QyOWJl&t=aFUvcHJmZEw2VU1HQkxvOGZNY1ByWEsxTzNCT0gvcWZjdTJjbFM4NGtyND0=&h=022acead68fc4a3d9ebac3211f0212e0&s=AVNPUEhUT0NFTkNSWVBUSVYgfuMvzoLjIbPfdW7whZuSxp9XaiC50iQQmyKIVGzn-qHent-BP_63qD7_3k6v2xY> \n\nMicrosoft Corporation, One Microsoft Way, Redmond, WA 98052\n\nFacilitated by\n\n <https://images.ecomm.microsoft.com/cdn/mediahandler/azure-emails-templates/production/shared/images/templates/shared/images/logos/microsoft-logo-2x.png> \t\n"
    ], 
    "from": "Anees Modan <Anees.Modan@cardfactory.co.uk>", 
    "to": "Security <Security@cardfactory.co.uk>", 
    "attachements": [
        "Outlook-sfo2h2la.png"
    ]
}

```json
{
  "contains_trigger_text": true,
  "trigger_text": "Action required: Review access by 14 November 2024",
  "prominent_button_name": "unknown",
  "text_input_field_labels": "unknown",
  "pdf_icon_visible": false,
  "has_visible_captcha": false,
  "has_urgent_text": true,
  "has_visible_qrcode": false
}

```json
{
  "brands": [
    "cardfactory",
    "cardfactory.co.uk"
  ]
}