Windows Analysis Report
SPECIAL PARTY INVITATION FROM DON & LINDA HUFFMAN.msg

{
    "explanation": [
        "All invitation links redirect to a suspicious domain 'punchmeetdirect.info' instead of legitimate Punchbowl.com domain",
        "The email uses urgency and social engineering by claiming to be from family members to encourage clicking",
        "Multiple tracking parameters and redirects in URLs suggest sophisticated phishing infrastructure"
    ],
    "phishing": true,
    "confidence": 9
}

{
    "date": "Wed, 20 Nov 2024 02:01:31 +0100", 
    "subject": "SPECIAL PARTY INVITATION FROM DON & LINDA HUFFMAN", 
    "communications": [
        "Luis \n\n \n\nI hate to bug you with this, but want to make sure there is no malicious links in the below.  This is coming from my aunt/uncle and may be related to my Moms birthday, but youve trained me to trust no one \n\n \n\nThank you!\n\n \n\nMatt Baker\nEVP, Chief Financial Officer\n\n \n\n <http://www.firstfedweb.com/> \n\n \n\nDirect (503) 435-3217 Email mbaker@firstfedweb.com <mailto:mbaker@firstfedweb.com> \n\n118 NE Third Street, McMinnville, OR 97128  \n\n <https://www.facebook.com/firstfederal/>  <https://www.instagram.com/first_federal/>  <https://www.linkedin.com/company/first-federal-savings-&-loan-of-mcminnville/?viewAsMember=true>  <https://www.youtube.com/channel/UCgGrkBPKOtKE-dMx-23qnwA> \n\n   \n\n\n\n \n\n \n\n---------- Forwarded message ---------\nFrom: Don or Linda Huffman <llhuffman@msn.com <mailto:llhuffman@msn.com> >\nDate: Thu, Nov 7, 2024 at 6:19AM\nSubject: SPECIAL PARTY INVITATION FROM DON & LINDA HUFFMAN\nTo: \n\n \n\n <https://ecp.yusercontent.com/mail?url=https%3A%2F%2Fstatic.punchbowl.com%2Fassets%2Fen%2Femail%2Flogo_punchbowl_145x32-a6ea47b4ad17889d8ebd3466d36b26316f017b737b637d53d08f6247cfcf663c.png&t=1678780345&ymreqid=d41d8cd9-8f00-b204-1c80-ac000a010500&sig=W9A4aX0DIU7W7hIJq8FQ1g--~D> \n\nYou're invited! Please click on the invitation to see more details and to RSVP.\n\n \n\nSPECIAL PARTY INVITATION FROM DON & LINDA HUFFMAN \n\n\t\n\n <https://clicktime.cloud.postoffice.net/clicktime.php?U=https://punchmeetdirect.info/&E=mbaker%40firstfedweb.com&X=XID170CkgR4R5051Xd2&T=FF1001&HV=U,E,X,T&H=7657709960056573da15999e9daa042b06812829> \n\n \n\n <https://clicktime.cloud.postoffice.net/clicktime.php?U=https://punchmeetdirect.info/&E=mbaker%40firstfedweb.com&X=XID170CkgR4R5051Xd2&T=FF1001&HV=U,E,X,T&H=7657709960056573da15999e9daa042b06812829> \n\n <https://ecp.yusercontent.com/mail?url=https%3A%2F%2Fwww.punchbowl.com%2Finvitation%2F9d959cab7e01efd6%2Ft.gif&t=1678780345&ymreqid=d41d8cd9-8f00-b204-1c80-ac000a010500&sig=6e_Ie29o7StM5w3NM99zlQ--~D> \n\n \n\nIf you can't see the above invitation, click here <https://clicktime.cloud.postoffice.net/clicktime.php?U=https://punchmeetdirect.info/&E=mbaker%40firstfedweb.com&X=XID170CkgR4R5051Xd2&T=FF1001&HV=U,E,X,T&H=7657709960056573da15999e9daa042b06812829> .  \n\nNB : We believe your data belongs to you, so we use it \nonly to display your invite contents only.\n\n \n\nPunchbowl, Inc.\n50 Speen Street, Suite 202 <https://clicktime.cloud.postoffice.net/clicktime.php?U=https://www.google.com/maps/search/50%2BSpeen%2BStreet,%2BSuite%2B202%2BFramingham,%2BMA%2B01701%3Fentry%3Dgmail%26source%3Dg&E=mbaker%40firstfedweb.com&X=XID170CkgR4R5051Xd2&T=FF1001&HV=U,E,X,T&H=051bd032bb79f4e7d0564eea216c41baf4b109a2> \nFramingham, MA 01701 <https://clicktime.cloud.postoffice.net/clicktime.php?U=https://www.google.com/maps/search/50%2BSpeen%2BStreet,%2BSuite%2B202%2BFramingham,%2BMA%2B01701%3Fentry%3Dgmail%26source%3Dg&E=mbaker%40firstfedweb.com&X=XID170CkgR4R5051Xd2&T=FF1001&HV=U,E,X,T&H=051bd032bb79f4e7d0564eea216c41baf4b109a2>  \n\n \n\n \n\n \n\n \n\n \n\n\t\t\n\n \n\n\t\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n \n\n"
    ], 
    "from": "Matt Baker <MBaker@FirstFedWeb.com>", 
    "to": "Luis Maciel <LMaciel@firstfedweb.com>", 
    "attachements": [
        "image001.png", 
        "image002.png", 
        "image003.png", 
        "image004.png", 
        "image005.png", 
        "image006.png", 
        "image007.png", 
        "image008.jpg", 
        "image009.png"
    ]
}

{
  "contains_trigger_text": false,
  "trigger_text": "unknown",
  "prominent_button_name": "unknown",
  "text_input_field_labels": "unknown",
  "pdf_icon_visible": false,
  "has_visible_captcha": false,
  "has_urgent_text": false,
  "has_visible_qrcode": false
}

{
  "brands": [
    "First Federal"
  ]
}

{
  "contains_trigger_text": true,
  "trigger_text": "Scanning URL for Threats...",
  "prominent_button_name": "unknown",
  "text_input_field_labels": "unknown",
  "pdf_icon_visible": false,
  "has_visible_captcha": false,
  "has_urgent_text": true,
  "has_visible_qrcode": false
}

{
    "typosquatting": false,
    "unusual_query_string": false,
    "suspicious_tld": false,
    "ip_in_url": false,
    "long_subdomain": false,
    "malicious_keywords": true,
    "encoded_characters": false,
    "redirection": false,
    "contains_email_address": false,
    "known_domain": false,
    "brand_spoofing_attempt": true,
    "third_party_hosting": true
}

URL: https://clicktime.cloud.postoffice.net

{
  "brands": [
    "Silversky"
  ]
}

{
  "contains_trigger_text": true,
  "trigger_text": "Scanning URL for Threats...",
  "prominent_button_name": "unknown",
  "text_input_field_labels": "unknown",
  "pdf_icon_visible": false,
  "has_visible_captcha": false,
  "has_urgent_text": true,
  "has_visible_qrcode": false
}

{
  "contains_trigger_text": true,
  "trigger_text": "Please wait while Targeted Attack Protection checks this URL for threats.",
  "prominent_button_name": "unknown",
  "text_input_field_labels": "unknown",
  "pdf_icon_visible": false,
  "has_visible_captcha": false,
  "has_urgent_text": false,
  "has_visible_qrcode": false
}

{
  "brands": [
    "Targeted Attack Protection"
  ]
}

{
  "brands": [
    "SilverSky"
  ]
}

{
    "typosquatting": false,
    "unusual_query_string": false,
    "suspicious_tld": false,
    "ip_in_url": false,
    "long_subdomain": false,
    "malicious_keywords": false,
    "encoded_characters": false,
    "redirection": false,
    "contains_email_address": false,
    "known_domain": true,
    "brand_spoofing_attempt": false,
    "third_party_hosting": false
}

URL: https://postoffice.net