Windows Analysis Report
phish_alert_iocp_v1.4.58.eml

{
    "explanation": [
        "Sender domain 'subitoturbo.it' is suspicious and unrelated to Microsoft/Office 365",
        "Subject line uses invoice number format typical of phishing attempts",
        "Attachment has suspicious name pattern trying to appear as official receipt"
    ],
    "phishing": true,
    "confidence": 9,
    "generated_by_ai": false
}

{
    "date": "Mon, 13 Jan 2025 17:12:07 -0500", 
    "subject": "Your Office 365 Subscription Has Been Renewed INV-0056jkheC", 
    "communications": [
        " "
    ], 
    "from": "\"info@subitoturbo.it\" <info@subitoturbo.it>", 
    "to": "Greg Poma <Greg_Poma@liparifoods.com>", 
    "attachements": [
        "Subscription_Renewal_Receipt_2025.htm"
    ]
}

{
  "risk_score": 9,
  "reasoning": [
    "Multiple authentication failures: SPF fail, DKIM fail, and DMARC fail",
    "IP address 205.139.110.120 is not authorized to send for amazonses.com",
    "Mismatched domains: Return-path shows amazonses.com but DKIM signature claims subitoturbo.it",
    "Suspicious boundary string '00B0FEED_message_boundary' appears potentially crafted",
    "While using Amazon SES infrastructure, the authentication failures suggest domain spoofing",
    "Message is attempting to appear legitimate by using Amazon SES headers but fails all authentication checks",
    "The combination of mixed domain usage and complete authentication failure is a strong indicator of malicious intent"
  ]
}

Date: Mon, 13 Jan 2025 17:12:07 -0500
Key: mime-version
Value: 1.0
Key: return-path
Value:  0100019461b96477-e5c6f6dd-2fc3-48ed-9744-fd271e292521-000000@amazonses.com
Key: x-microsoft-antispam-message-info
Value:  fPKA3Ap2IKtqzpWGzh+YolMPGmCVi/P/vngI9O2URzQHELeMdg8kcjwmRBKWYfSRol27ihmPSmfBvUSXiubHkh0ruadaEcOVoSyUsX6muKClAFDV0gwGP4lxy5OrXvhKpJ+6hxj4Ove0hSJCDnLx+Dcv2saxFpIc9Z4hdvIjNGcXyB09lF1L5emOlYr9jhfaX8Zfq3gFXHr6wJZ3DVtRmcWNJdUrRMDXM3y1+hOv+SZQvVw2HRUN8aS+QxLkcsSqO9D7USdlJmYFMy3/umvV+AOhbI9YX3uw8giBzNOGcmVKZCeXWlrWTIZEsVUbtamlOUyxZI71Y9jdwTNe7F0RRkPN5tqep7nZFE8o0iAUBCY/Uu1KGNGrzuORummF3nolH18sVa89FlH/sDcJ7tWtx3DzJ7DdCFMzhT7OJtqwDFhgfC9DvrZWbI6a2P2uAIzsemeHSFWfZK/BuAZAlqCm+g8sORvwBQMh+LjXoayVu/CBF2YdX8JHseQKU1AYeiqxXaXmWH6B916uKL4jU9i6ubzNV7od6FptwMNSobYWlKtpRfpMUBKDCM+QhNtb4Tmf/6LOXnr9Vt/IbNLvHwaiTx2Nuowa+iR9DgnWJeWpepPc2u27zD7/wRG7RIqUMzCXdFXpZIRsTf36qLX0yWW7EtWA/2mV3bWf7m0w1SX+xEcavZTIJOYD/ULui8sR04BlQytMwcFT4ApHanS/bjaaOQiphVMSDqqRNDTpE5WLw22RNapbuJhAT9PGQ38WZKlukr/kpi519F4PITnseAkSkKfERQVZO4aftJvVV00QXPSJIvcTpbjio8sTsLadOdW3+R3GIobar/uzjwU3OC9alWVwEQSfDjMb3X6KxIPBka1HAMQkykzRVgbQyIno0FoosgkI1tMsXWX+wD62hsbgqFIZCrotYGjh4KdwWHef9DVVTq48fXBn0Zs0+hfxhHcuPG8ZYdxZ4kPhSTcPRa9zqb3edbQ7fW4BiooP2w0C8aEHhXp7w/V+MI5TIolFX0wHXjej9OoJN4id27cmmegueFVi4b6R2K4OSBfdg2quVRs48H5qyZMCgG/ld+bXXC8PyECG0HFKAWFmZWyqxY7Qm0OIr+caho3ixirodfbQNj/+gM3n+gD17u0fMIs/gjMf6M5gccNenahu8xqnrplrKdxtCf/SPm0/INfD0VUnJLfHtwecLOtmIAvHWuG9DzXq6rOZ+Q3kHYb9gATmL4EL8KGajoCWpZuK4pBLqKrxMdQUstZvZ7IhsOe3qi/YFHByO7KyAML+g1+eOBOAG0cDWwl3jigxHYqwEVYixk4WaK2cSzM+BXY9CVpCBlBhq8HRCQZO0btvK5u8Uq2nqexnUqJ92qzVhbiRU5kGhVSn9jv8CXZINBewCCjGZwIdap9V/7tnMPXva1pWMaweVtyFuLsyMKHgTKbq4iurTDE6T1gFb6N6NCjMefcForjzpZyGtnxJS+2DJ2qB24DRBmW2OsN2v/6uitlAddlbGghyOfvPenqavFEShqJQdGr+CnjjhA+L4rO5t2p3HtLiHtd6KzDGmM5MxyeW4aDNe6FwBnGLSGBiaNOKLAm7M47xNaD5ZBWNmJjz09NAvFYW3LKaku2KBR6Mnb9DbWzxftD4jtrPtaUmwQDPrWP24/LPkngHQIyOpbyjE0FMEWQw6kiLspmAZmhoskuAVGpw7hCz6bhvzgAgQa62QrWcAkxDwihRmDMUf+dG+uIUjeZpHIaEHfksOZ7/rC1vw169cddLqQdqsi/eQ+LcFFhKbts305wNWzWLAS0NK2YUWmZYAJ4jWrmP9MQ8psZ2vD+/rOtzi5942v0VmRKD5P1gVzYYgpLFgnjFZyu0uCrEnFJ3SlQWIg==
Key: received-spf
Value: Fail (protection.outlook.com: domain of amazonses.com does not designate 205.139.110.120 as permitted sender) receiver=protection.outlook.com; client-ip=205.139.110.120; helo=us-smtp-inbound-delivery-1.mimecast.com;
Key: message-id
Value:  <0100019461b96477-e5c6f6dd-2fc3-48ed-9744-fd271e292521-000000@email.amazonses.com>
Key: authentication-results
Value: spf=fail (sender IP is 205.139.110.120) smtp.mailfrom=amazonses.com; dkim=fail (body hash did not verify) header.d=subitoturbo.it;dmarc=fail action=none header.from=subitoturbo.it;compauth=none reason=405
Key: received
Value: Tue, 14 Jan 2025 09:15:25 -0500
Key: feedback-id
Value:  ::1.us-east-1.Sq9mu6vRfwHCY05zgzLiCvMYMG/zoPqBFWxD/Hy+7LM=:AmazonSES
Key: x-ms-exchange-crosstenant-authas
Value: Anonymous
Key: x-ms-exchange-crosstenant-originalarrivaltime
Value: 14 Jan 2025 14:15:22.2871 (UTC)
Key: content-type
Value: Multipart/mixed; charset="us-ascii"; boundary="00B0FEED_message_boundary"
Key: dkim-signature
Value: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=ug7nbtf4gccmlpwj322ax3p6ow6yfsug; d=amazonses.com; t=1736806327; h=Content-Type:Content-Transfer-Encoding:From:To:Subject:Message-ID:Date:MIME-Version:Feedback-ID;  bh=nJLoRATnp2bS5NKnTDm+Ia0Tvnjnlkyphvx035auUag=; b=C5QraCSpmnLRBN8IDkUooBOFc+P4wWYdZxWBb9himCkojKgMXbih+r5Mt0JxIFdT kV0C1Ke6bEBjsLp4jHZjjQdXltq4cERMjyjEIaNb3ghM8OphK5gfoYg5AQkGaDjx3Ws psWSDrctF28BIVYM6etur5mla1eY2fgbuImYjrww=
Key: x-forefront-antispam-report
Value:  CIP:205.139.110.120;CTRY:US;LANG:en;SCL:-1;SRV:;IPV:CAL;SFV:SKN;H:us-smtp-inbound-delivery-1.mimecast.com;PTR:us-smtp-inbound-delivery-1.mimecast.com;CAT:NONE;SFS:(13230040)(32142699015)(12012899012)(31092699021)(2092899012);DIR:INB;
Key: x-ms-exchange-organization-scl
Value: -1
Key: x-microsoft-antispam
Value:  BCL:0;ARA:13230040|32142699015|12012899012|31092699021|2092899012;

{"classification":"Invoice Scam"}

Email:
Detected potential phishing email: Sender domain 'subitoturbo.it' is suspicious and unrelated to Microsoft/Office 365. Subject line uses invoice number format typical of phishing attempts. Attachment has suspicious name pattern trying to appear as official receipt

{
    "risk_score": 7,
    "reasoning": "The script demonstrates a high-risk behavior by redirecting the user to an untrusted domain, which is a common tactic used in phishing and malware attacks. The use of a URL shortener or obfuscated domain further increases the suspicion. While the intent is not explicitly malicious, the redirection to an unknown domain poses a significant risk to the user's security and should be investigated further."
}

 
   
self.location = 'https://url.us.m.mimecastprotect.com/s/YoNFCkRj7jhqyGBjUVhjSG19o8?domain=243dev.com'; 
//--> 

{
    "risk_score": 1,
    "reasoning": "The provided JavaScript snippet appears to be a configuration object for the Mimecast branding, which includes links to the company's website, knowledge base, and support resources. There are no indicators of high-risk behaviors, such as dynamic code execution, data exfiltration, or redirects to malicious domains. The script seems to be a legitimate part of the Mimecast application and does not pose a significant security risk."
}

window.mimecast = {"branding":{"defaultBranding":{"defaultConfiguration":{"knowledgeBase":{"href":"https://community.mimecast.com/docs/DOC-241","label":"LOGIN_HOME_LNK"},"home":{"href":"http://www.mimecast.com/","label":"KNOWLEDGE_BASE"},"loginHelp":{"href":"https://community.mimecast.com/docs/DOC-241","label":"LOGIN_LOGIN_HELP_LNK"},"support":{"href":"https://community.mimecast.com/docs/DOC-241","label":"LOGIN_LOGIN_HELP_LNK"}},"originalContextPath":"ttpwp","branded":false,"favIcon":"/ttpwp/resources/images/favicon.ico","favIconMobile":"/ttpwp/resources/images/favicon-mobile.png","home":{"default":true,"href":"http://www.mimecast.com/","label":"KNOWLEDGE_BASE"},"knowledgeBase":{"default":true,"href":"https://community.mimecast.com/docs/DOC-241","label":"LOGIN_HOME_LNK"},"loginHelp":{"default":true,"href":"https://community.mimecast.com/docs/DOC-241","label":"LOGIN_LOGIN_HELP_LNK"},"support":{"default":true,"href":"https://community.mimecast.com/docs/DOC-241","label":"LOGIN_LOGIN_HELP_LNK"},"logo":"/ttpwp/resources/images/mimecast-logo.png"},"defaultConfiguration":{"knowledgeBase":{"href":"https://community.mimecast.com/docs/DOC-241","label":"LOGIN_HOME_LNK"},"home":{"href":"http://www.mimecast.com/","label":"KNOWLEDGE_BASE"},"loginHelp":{"href":"https://community.mimecast.com/docs/DOC-241","label":"LOGIN_LOGIN_HELP_LNK"},"support":{"href":"https://community.mimecast.com/docs/DOC-241","label":"LOGIN_LOGIN_HELP_LNK"}},"originalContextPath":"ttpwp","branded":false,"favIcon":"/ttpwp/resources/images/favicon.ico","favIconMobile":"/ttpwp/resources/images/favicon-mobile.png","home":{"default":true,"href":"http://www.mimecast.com/","label":"KNOWLEDGE_BASE"},"knowledgeBase":{"default":true,"href":"https://community.mimecast.com/docs/DOC-241","label":"LOGIN_HOME_LNK"},"loginHelp":{"default":true,"href":"https://community.mimecast.com/docs/DOC-241","label":"LOGIN_LOGIN_HELP_LNK"},"support":{"default":true,"href":"https://community.mimecast.com/docs/DOC-241","label":"LOGIN_LOGIN_HELP_LNK"},"logo":"/ttpwp/resources/images/mimecast-logo.png"}};

{
    "risk_score": 6,
    "reasoning": "The provided JavaScript snippet contains several behaviors that raise moderate security concerns. It includes external data transmission to third-party domains, the use of fallback domains, and aggressive DOM manipulation. While there are no clear indicators of malicious intent, the overall behavior suggests the script may be overly aggressive or poorly implemented, potentially leading to privacy or security issues. Further review is recommended to determine the script's true purpose and ensure it is not misusing user data or introducing unnecessary risks."
}

(window.webpackJsonp=window.webpackJsonp||[]).push([[4],{3:function(n,e,o){n.exports=o("lEuh")},JPst:function(n,e,o){"use strict";n.exports=function(n){var e=[];return e.toString=function(){return this.map(function(e){var o=n(e);return e[2]?"@media ".concat(e[2]," {").concat(o,"}"):o}).join("")},e.i=function(n,o,t){"string"==typeof n&&(n=[[null,n,""]]);var a={};if(t)for(var r=0;r<this.length;r++){var c=this[r][0];null!=c&&(a[c]=!0)}for(var l=0;l<n.length;l++){var i=[].concat(n[l]);t&&a[i[0]]||(o&&(i[2]=i[2]?"".concat(o," and ").concat(i[2]):o),e.push(i))}},e}},LboF:function(n,e,o){"use strict";var t,a=function(){var n={};return function(e){if(void 0===n[e]){var o=document.querySelector(e);if(window.HTMLIFrameElement&&o instanceof window.HTMLIFrameElement)try{o=o.contentDocument.head}catch(t){o=null}n[e]=o}return n[e]}}(),r=[];function c(n){for(var e=-1,o=0;o<r.length;o++)if(r[o].identifier===n){e=o;break}return e}function l(n,e){for(var o={},t=[],a=0;a<n.length;a++){var l=n[a],i=e.base?l[0]+e.base:l[0],f=o[i]||0,d="".concat(i," ").concat(f);o[i]=f+1;var m=c(d),b={css:l[1],media:l[2],sourceMap:l[3]};-1!==m?(r[m].references++,r[m].updater(b)):r.push({identifier:d,updater:p(b,e),references:1}),t.push(d)}return t}function i(n){var e=document.createElement("style"),t=n.attributes||{};if(void 0===t.nonce){var r=o.nc;r&&(t.nonce=r)}if(Object.keys(t).forEach(function(n){e.setAttribute(n,t[n])}),"function"==typeof n.insert)n.insert(e);else{var c=a(n.insert||"head");if(!c)throw new Error("Couldn't find a style target. This probably means that the value for the 'insert' parameter is invalid.");c.appendChild(e)}return e}var f,d=(f=[],function(n,e){return f[n]=e,f.filter(Boolean).join("\n")});function m(n,e,o,t){var a=o?"":t.media?"@media ".concat(t.media," {").concat(t.css,"}"):t.css;if(n.styleSheet)n.styleSheet.cssText=d(e,a);else{var r=document.createTextNode(a),c=n.childNodes;c[e]&&n.removeChild(c[e]),c.length?n.insertBefore(r,c[e]):n.appendChild(r)}}function b(n,e,o){var t=o.css,a=o.media,r=o.sourceMap;if(a?n.setAttribute("media",a):n.removeAttribute("media"),r&&"undefined"!=typeof btoa&&(t+="\n/*# sourceMappingURL=data:application/json;base64,".concat(btoa(unescape(encodeURIComponent(JSON.stringify(r))))," */")),n.styleSheet)n.styleSheet.cssText=t;else{for(;n.firstChild;)n.removeChild(n.firstChild);n.appendChild(document.createTextNode(t))}}var s=null,u=0;function p(n,e){var o,t,a;if(e.singleton){var r=u++;o=s||(s=i(e)),t=m.bind(null,o,r,!1),a=m.bind(null,o,r,!0)}else o=i(e),t=b.bind(null,o,e),a=function(){!function(n){if(null===n.parentNode)return!1;n.parentNode.removeChild(n)}(o)};return t(n),function(e){if(e){if(e.css===n.css&&e.media===n.media&&e.sourceMap===n.sourceMap)return;t(n=e)}else a()}}n.exports=function(n,e){(e=e||{}).singleton||"boolean"==typeof e.singleton||(e.singleton=(void 0===t&&(t=Boolean(window&&document&&document.all&&!window.atob)),t));var o=l(n=n||[],e);return function(n){if(n=n||[],"[object Array]"===Object.prototype.toString.call(n)){for(var t=0;t<o.length;t++){var a=c(o[t]);r[a].references--}for(var i=l(n,e),f=0;f<o.length;f++){var d=c(o[f]);0===r[d].references&&(r[d].updater(),r.splice(d,1))}o=i}}}},lEuh:function(n,e,o){"use strict";o.r(e);var t=o("LboF"),a=o.n(t),r=o("spFo");a()(r.a,{insert:"head",singleton:!1}),e.default=r.a.locals||{}},spFo:function(n,e,o){"use strict";var t=o("JPst"),a=o.n(t)()(function(n){return n[1]});a.push([n.i,'@charset "UTF-8";\n/**\n  Prebuilt: @mimecast-ui/components - Classic Theme\n */\n/**\n  Bootstrap Default Setup\n\n  Every app consuming @mimecast-ui components can import this file or\n  implement their version.\n */\n/*! normalize.css v3.0.3 | MIT License | github.com/necolas/normalize.css */\n@font-face {\n  font-family: \'mimecast-icons\';\n  src: url(\'/ttpwp/resources/mimecast-icons.fd97725823d43fd9cada.eot?25417273\');\n  src: url(\'/ttpwp/resources/mimecast-icons.fd97725823d43fd9cada.eot?25417273#iefix\') format(\'embedded-opentype\'),\n    url(\'/ttpwp/resources/mimec

{
  "contains_trigger_text": true,
  "trigger_text": "Access has been blocked for your protection",
  "prominent_button_name": "unknown",
  "text_input_field_labels": "unknown",
  "pdf_icon_visible": false,
  "has_visible_captcha": false,
  "has_urgent_text": false,
  "has_visible_qrcode": false,
  "contains_chinese_text": false,
  "contains_fake_security_alerts": false
}

{
    "typosquatting": false,
    "unusual_query_string": false,
    "suspicious_tld": false,
    "ip_in_url": false,
    "long_subdomain": true,
    "malicious_keywords": false,
    "encoded_characters": false,
    "redirection": false,
    "contains_email_address": false,
    "known_domain": true,
    "brand_spoofing_attempt": false,
    "third_party_hosting": false
}

URL: https://security-us.m.mimecastprotect.com

{
  "contains_trigger_text": true,
  "trigger_text": "Access has been blocked for your protection",
  "prominent_button_name": "unknown",
  "text_input_field_labels": "unknown",
  "pdf_icon_visible": false,
  "has_visible_captcha": false,
  "has_urgent_text": false,
  "has_visible_qrcode": false,
  "contains_chinese_text": false,
  "contains_fake_security_alerts": false
}

{
  "brands": [
    "Mimecast"
  ]
}

{
  "brands": [
    "Mimecast"
  ]
}