Windows Analysis Report
FW Important Security Policy Update.msg

• EGA enabled

• Found application associated with file extension: .msg

{
    "explanation": [
        "The sender email 'noreply@updates-microsoft365.com' is suspicious and not a legitimate Microsoft domain",
        "The email contains phishing-like URLs (guru.phishing.guru in the links)",
        "The message creates urgency by requiring immediate action for 'security policy updates'"
    ],
    "phishing": true,
    "confidence": 10
}

{
    "date": "Thu, 14 Nov 2024 01:21:17 +0100", 
    "subject": "FW: Important Security Policy Update", 
    "communications": [
        "External Sender:\n\n________________________________\n\n\nIm wondering if other staff receive these as well and if staff should apply update or should we send out an email that its done in another way?\n\n \n\nTammy Busch\n\nAssistant Superintendent of Business Services\n\nCertified School Risk Manager\n\nRiver Delta Unified School District\n\n707-374-1715\n\ntbusch@rdusd.org <mailto:tbusch@rdusd.org> \n\n \n\n", 
        "From: Microsoft 365 <noreply@updates-microsoft365.com> \nSent: Wednesday, November 13, 2024 3:18 PM\nTo: Tammy Busch <tbusch@rdusd.org>\nSubject: Important Security Policy Update\n\n \n\n <https://upload.wikimedia.org/wikipedia/commons/thumb/9/96/Microsoft_logo_%282012%29.svg/1024px-Microsoft_logo_%282012%29.svg.png> \n\nImportant Security Policy Update\n\nHi Tammy Busch,\n\nA new update was recently released for one or more Microsoft services currently active in your account tbusch@rdusd.org <mailto:tbusch@rdusd.org> .\n\nVersion Release Date: November 13, 2024\nVersion Release Code: 23407142\n\nYou're required to accept the updated policy changes to continue using your account securely.\n\n \n\nApply Update <https://url.us.m.mimecastprotect.com/s/qG95CL9mjxiRpjD5uBfgHy_mcS?domain=guru.phishing.guru> \n\n \n\nMicrosoft 365 Mobile & Desktop Apps Security Patch\n\nWe've released a major security patch to the following update channels for Microsoft 365 Apps: Azure SSL/TLS Security Certificate. When will this happen: We'll be gradually rolling out this update of Microsoft 365 Apps to users on the update channel.\n\nIf you have any questions about this update, please let us know <https://url.us.m.mimecastprotect.com/s/qG95CL9mjxiRpjD5uBfgHy_mcS?domain=guru.phishing.guru> .\n\nThank you,\nMicrosoft 365 Security Team\n\n <https://guru.phishing.guru/XZUd2ZXlxLzNlUGc1d0NKWkJBYWo5YmFEYSt0ZzM2R3djTm5iS1JYdS93YW5hN1p6ZGlkeVcyRGV0VnJadjNpbVl1V0JmTUcxREJuRHUvbUVCK1c1dGdtRnlZbEQ1S2thZi8rOUtRekcraVJwSXJOWS9zRHl1dz09LS1VNmdTRHNPTEh2YUYxeWQ5LS05RFcwVktJSkhHQU94alBBdmlpNXlRPT0=?cid=2279533539> \n\n"
    ], 
    "from": "Tammy Busch <tbusch@rdusd.org>", 
    "to": "Gabriel Espinoza <gespinoza@mydatapath.com>", 
    "attachements": []
}

```json
{
  "contains_trigger_text": true,
  "trigger_text": "You're required to accept the updated policy changes to continue using your account securely.",
  "prominent_button_name": "unknown",
  "text_input_field_labels": "unknown",
  "pdf_icon_visible": false,
  "has_visible_captcha": false,
  "has_urgent_text": true,
  "has_visible_qrcode": false
}

```json
{
  "brands": [
    "Microsoft"
  ]
}

{
    "typosquatting": false,
    "unusual_query_string": false,
    "suspicious_tld": false,
    "ip_in_url": false,
    "long_subdomain": false,
    "malicious_keywords": true,
    "encoded_characters": false,
    "redirection": false,
    "contains_email_address": false,
    "known_domain": false,
    "brand_spoofing_attempt": false,
    "third_party_hosting": false
}

URL: https://secured-login.net