Windows Analysis Report
_EXTERNAL_ Action Required_ Access & Approve Closing Document.msg

{
    "explanation": [
        "The email claims to be from DocuSign but uses a suspicious sender address (mvmservico.awsapps.com)",
        "Contains urgent action request and generic 'View Document' button typical of phishing attempts",
        "The actual email thread content about lift trucks appears to be unrelated and likely appended to make the phishing attempt look legitimate"
    ],
    "phishing": true,
    "confidence": 9,
    "generated_by_ai": false
}

{
    "date": "Fri, 13 Dec 2024 18:12:23 +0100", 
    "subject": "[EXTERNAL] Action Required: Access & Approve Closing Document", 
    "communications": [
        "CAUTION: This email originated from outside of the organization and has a high sense of urgency. Please use caution before opening any attachments, clicking any links, or following instructions below. Do not sign-in with your corporate account. Please report email as phishing if in doubt.\nWarning Code: [URG1]\n\n\nDocuSign\n\n\nA document is available for you. Please click the button below to see the details.   \n\n \n\nVIEW COMPLETED DOCUMENT \n\n \n\n \n_______________________________________________________________________ This email is intended only for the use of the individual(s) to whom it is addressed and may be privileged and confidential. Unauthorised use or disclosure is prohibited. If you receive this e-mail in error, please advise immediately and delete the original message. This message may have been altered without your or our knowledge and the sender does not accept any liability for any errors or omissions in the message. Ce courriel est confidentiel et protg. L'expditeur ne renonce pas aux droits et obligations qui s'y rapportent. Toute diffusion, utilisation ou copie de ce message ou des renseignements qu'il contient par une personne autre que le (les) destinataire(s) dsign(s) est interdite. Si vous recevez ce courriel par erreur, veuillez m'en aviser immdiatement, par retour de courriel ou par un autre moyen. Please see link for RBCCM disclosures. https://www.rbccm.com/rbccm/policies-disclaimers.page. \n\n \n\n\n\n\n_______________________________________________________________________ This email is intended only for the use of the individual(s) to whom it is addressed and may be privileged and confidential. Unauthorised use or disclosure is prohibited. If you receive this e-mail in error, please advise immediately and delete the original message. This message may have been altered without your or our knowledge and the sender does not accept any liability for any errors or omissions in the message. Ce courriel est confidentiel et protg. L'expditeur ne renonce pas aux droits et obligations qui s'y rapportent. Toute diffusion, utilisation ou copie de ce message ou des renseignements qu'il contient par une personne autre que le (les) destinataire(s) dsign(s) est interdite. Si vous recevez ce courriel par erreur, veuillez m'en aviser immdiatement, par retour de courriel ou par un autre moyen. Please see link for RBCCM disclosures. https://www.rbccm.com/rbccm/policies-disclaimers.page. \n\n \n\n\n \n\n\n \n\n\n \n\n\n \n\n\n \n\n\n \n\n\n \n\n\n \n\n\n \n\n\n \n\n\nThank you Jim! \n\n \n\nI let Wayne know.  He handles our receiving area and blocking of trucks, so hell be ready for you. \n\n \n\nThanks and have a great weekend! \n\n \n\nQuint Brown \n\nSales Manager \n\nCrown Lift Trucks\n\n17700 East 32nd Place \n\nDenver, CO  80011 \n\nTel 303-344-1000\n\nMobile 303-419-5513 \n\nQuint.brown@crown.com\n\nwww.crown.com <https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.crown.com%2F&data=05%7C02%7Cjperez%40olgoonik.com%7C0bc2ff93f09e442dddab08dd1b994ff8%7C341c5aad39be47a3901e146d297ecd80%7C0%7C0%7C638697068698243785%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C60000%7C%7C%7C&sdata=DBfLyv40QHEapUJU9ERI1B1lN2NrYJQHlfKIvCd7bCM%3D&reserved=0> \n\n \n\n", 
        "From: Jim White <jim.white@furniturerow.com> \nSent: Friday, December 6, 2024 4:23 PM\nTo: Brown, Quint <Quint.Brown@Crown.com>\nCc: Jack Herrera <jack.herrera@furniturerow.com>; Machado, Paul <Paul.Machado@Crown.com>; efrain.figarora@crown.com; Jose Ocon <jose.ocon@furniturerow.com>; Chad Roberts <chad.roberts@furniturerow.com>\nSubject: Re: sending a picker over to be secured\n\n \n\nWarning: This email originated from outside of Crown. Do not click on links unless you know the \ncontent is safe. If you are prompted for a password, STOP! Contact the Help Desk immediately!\n\nHi Quint, \n\nAfter 9 shouldnt be a problem.  We will plan on it\n\n \n\nThanks \n\nJim \n\nSent from my iPad\n\n\n\n\n\n\tOn Dec 6, 2024, at 3:52 PM, Brown, Quint <Quint.Brown@crown.com <mailto:Quint.Brown@crown.com> > wrote:\n\n\t \n\n\tJack, \n\n\t \n\n\tWe can do this on Wednesday.  Would you be able to have your driver show up after say 9:00 AM?  Our dock is pretty busy on Wednesday mornings. \n\n\t \n\n\tThank you. \n\n\t \n\n\tQuint Brown \n\n\tSales Manager \n\n\tCrown Lift Trucks\n\n\t17700 East 32nd Place \n\n\tDenver, CO  80011 \n\n\tTel 303-344-1000\n\n\tMobile 303-419-5513 \n\n\tQuint.brown@crown.com <mailto:Quint.brown@crown.com> \n\n\twww.crown.com <https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.crown.com%2F&data=05%7C02%7Cjperez%40olgoonik.com%7C0bc2ff93f09e442dddab08dd1b994ff8%7C341c5aad39be47a3901e146d297ecd80%7C0%7C0%7C638697068698268586%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C60000%7C%7C%7C&sdata=cxFfyD5jsFTaZxhEbj2OY%2B3%2FWyt8IRaQf%2BGLKDddwr0%3D&reserved=0> \n\n\t \n\n\tFrom: Jack Herrera <jack.herrera@furniturerow.com <mailto:jack.herrera@furniturerow.com> > \n\tSent: Friday, December 6, 2024 2:20 PM\n\tTo: Machado, Paul <Paul.Machado@Crown.com <mailto:Paul.Machado@Crown.com> >; Brown, Quint <Quint.Brown@Crown.com <mailto:Quint.Brown@Crown.com> >; efrain.figarora@crown.com <mailto:efrain.figarora@crown.com> \n\tCc: Jim White <jim.white@furniturerow.com <mailto:jim.white@furniturerow.com> >; Jose Ocon <jose.ocon@furniturerow.com <mailto:jose.ocon@furniturerow.com> >; Chad Roberts <chad.roberts@furniturerow.com <mailto:chad.roberts@furniturerow.com> >\n\tSubject: sending a picker over to be secured\n\n\t \n\n\tWarning: This email originated from outside of Crown. Do not click on links unless you know the \n\tcontent is safe. If you are prompted for a password, STOP! Contact the Help Desk immediately!\n\n\tGood afternoon Paul and Quint.\n\n\tWe would like to send a picker over in a trailer to be secured for an over the road trip.\n\n\tWe were planning on sending it Wednesday 12-11 mid-morning, having it secured and then bring it back.\n\n\tLet me know if that works.\n\n\tThanks,\n\n\t \n\n\tJack Herrera\n\n\tDenver Mattress Co\n\n\tTransportation Manager\n\n\t<image001.jpg>\n\n\tOffice: 303-566-8119\n\n\tCell: 720-429-9883\n\n\tJack.herrera@furniturerow.com <mailto:Jack.herrera@furniturerow.com> \n\n\t \n\n"
    ], 
    "from": "e-Doc <no-reply@mvmservico.awsapps.com>", 
    "to": "ithelpdesk@olgoonik.com", 
    "attachements": []
}

{
  "contains_trigger_text": true,
  "trigger_text": "VIEW COMPLETED DOCUMENT",
  "prominent_button_name": "VIEW COMPLETED DOCUMENT",
  "text_input_field_labels": "unknown",
  "pdf_icon_visible": false,
  "has_visible_captcha": false,
  "has_urgent_text": true,
  "has_visible_qrcode": false,
  "contains_chinese_text": false,
  "contains_security_alerts": true
}

{
  "brands": [
    "DocuSign"
  ]
}

{"classification":"Credential Stealer"}

Email:
Detected potential phishing email: The email claims to be from DocuSign but uses a suspicious sender address (mvmservico.awsapps.com). Contains urgent action request and generic 'View Document' button typical of phishing attempts. The actual email thread content about lift trucks appears to be unrelated and likely appended to make the phishing attempt look legitimate

{
    "typosquatting": false,
    "unusual_query_string": false,
    "suspicious_tld": false,
    "ip_in_url": false,
    "long_subdomain": false,
    "malicious_keywords": false,
    "encoded_characters": false,
    "redirection": true,
    "contains_email_address": false,
    "known_domain": true,
    "brand_spoofing_attempt": false,
    "third_party_hosting": false
}

URL: https://nam04.safelinks.protection.outlook.com

{
    "typosquatting": false,
    "unusual_query_string": false,
    "suspicious_tld": false,
    "ip_in_url": false,
    "long_subdomain": false,
    "malicious_keywords": false,
    "encoded_characters": false,
    "redirection": false,
    "contains_email_address": false,
    "known_domain": true,
    "brand_spoofing_attempt": false,
    "third_party_hosting": false
}

URL: https://outlook.com