Windows Analysis Report
Message.eml

{
    "explanation": [
        "The email is from a legitimate business newsletter service (AZBEX - Arizona Builder's Exchange)",
        "Contains standard newsletter formatting with unsubscribe options and proper business address",
        "Content is consistent with a professional construction industry newsletter"
    ],
    "phishing": false,
    "confidence": 9,
    "generated_by_ai": false
}

{
    "date": "Tue, 14 Jan 2025 06:01:17 -0600", 
    "subject": "AZBEX 01-14-2025 - Back to Industrial for 6-Acre Tempe Site", 
    "communications": [
        "CAUTION: This email originated from outside Carollo Engineers. Do not open attachments or click links unless you recognize the sender.\n\nCheck out the latest issue of AZBEX!\n                                                                                                                              \n[https://content.app-us1.com/cdn-cgi/image/onerror=redirect,width=650,dpr=2,fit=scale-down,format=auto/4GpbJ/2021/06/01/0bcd0bc2c9fb46e30d3143942715988e610ed0f4.jpeg?r=682257016]\nAZBEX FEATURED ARTICLE\nBack to Industrial for 6-Acre Tempe Site\nAZBEX 01-14-2025\nVolume: 15 Issue: 92\nSTART READING HERE <https://azbex.acemlna.com/lt.php?x=3DZy~GDMJnDL65OuzQ5NhOKh1aIji_f3wuY3X5M7JXWZE5z~yUy.0OFz13FziNfujfYxbHHFKXSa>\nUPCOMING BEX EVENTS\n[https://content.app-us1.com/cdn-cgi/image/onerror=redirect,width=650,dpr=2,fit=scale-down,format=auto/4GpbJ/2024/12/12/ca6ae514-2a15-4db0-b253-22738be6dcfe.jpeg?r=755188278]<https://azbex.acemlna.com/lt.php?x=3DZy~GDMJnDL65OuzQ5NhOKh1aIji_f3wuY3X5M7JXWZE5z~yUy.0OFz13FziNfujfYxbHHFKXOh>\n 2024 Arizona Builder's Exchange, LLC. All Rights Reserved. Forwarding, distributing or disseminating the downloaded copy, or any portion thereof, or of the content, is a violation of copyright and is expressly prohibited.\nCopyright violations will be prosecuted.\n\n\n\nSent to: bhuey@carollo.com\n\nUnsubscribe<https://azbex.acemlna.com/proc.php?nl=2&c=1835&m=1900&s=950b57e5c8e2f1f3099e1802f450e081&act=unsub>\n\nArizona Builder's Exchange, P.O. Box 12196, Tempe, AZ 85284, United States\n\n"
    ], 
    "from": "AZBEX <bex@azbex.com>", 
    "to": "B Huey <bhuey@carollo.com>", 
    "attachements": []
}

{
  "risk_score": 1,
  "reasoning": [
    "All authentication checks (SPF, DKIM, DMARC) passed successfully",
    "Email sent through legitimate ActiveCampaign email service (x-mailer header)",
    "Proper feedback-id and list-unsubscribe headers indicating legitimate bulk email service",
    "Microsoft's SCL (Spam Confidence Level) is -1, indicating trusted sender",
    "Proper DKIM signature present and verified",
    "Consistent routing through ActiveCampaign's infrastructure (acems1.com, acemsa3.com)",
    "IP address (52.128.40.27) is properly authorized in SPF record",
    "Return-path and bounce handling properly configured for bulk email service",
    "Low BCL (Bulk Complaint Level) of 3 indicating legitimate bulk sender"
  ]
}

Date: Tue, 14 Jan 2025 06:01:17 -0600
Key: mime-version
Value: 1.0
Key: return-path
Value: bounce-793876-1835-74-bhuey=carollo.com@em-793876.azbex.com
Key: x-microsoft-antispam-message-info
Value: 	OEIjWVvGCrnGspXsEPBaJfLOM1oc4lqC1jS35mHGQdpzl4XEmqyzd3qmjYdFiw3gqTZ4pA8LrG+nNOvSLiexLq8WSAKqZBmS2yTVuwHNFuG69cVfwnuSM/RYw8nWicPx1NuOrqG6NzxnWIHuczLF/qiQUORKP9r6hfv5ZsojaB3LCVMShrEnJRxioM8q0m7GiYFOl9DtSVLRAHw3djgVekz/rQFTge0aPxkGxGze3b1H+FYa5yo3RZibs0Xh5mMrWDCZyLrXI6MhmN5HUCvBsF8Th1HRtt93UmVXFQr39lZQfsO8QJsuKPpBlnGKbR5dhs/jmjAL2NXi4GKg/6qvA7+1v1FCkcULMPgWM5jI4QhH9oq+jEVwiHecBft9fa5cxbguyBYjzmBjGmJPEocpN4OZuu/MNUQmbn0G74yrBDwokFeoLs+yAckKml1BssAlKMY1ThkScVIO/ltKVmDIJEBrWVQjBuc83Eqx7VwCxvgsZ0ifhHktyY7OOWtQ2Fyoc/jqzbjgbtIfZioibK1awvsAcYZcT9dvY+JFw8cBJc05T3PZMAcf0y29VdGHmo5aZAsWRkuCSuwH8nMxdNjKptLDzYAkeqIheccExMSX28tSzzY5O9Rhd6WgNUfWmghYT2jj90tukB2gkSCbQ6xUr5oQQBJpkinqHOyvGs4+i5dqAIuv+uQruV5pLlxltR8HfNM8ulyNq6HaoMDnFCEVXVHXTBX4DvG1cIRxh2dX/pWd4+SS9E5UvtTT/C2SSCA+VkW/6MwGjtWEGYeUCZVNo0eDKAiM02l66sYNAmZOud90s/K/fp69bFSFZuAXNH/ZNDrP58+x+9qgpecS7HoAwcnKOSUmg5I7NE4D+DzqSgUquZlCOXNYREWPlkD+Ye4oyz8takikbMX0gU5aJfklWe30TN9Tj61xtLQ7PcCOiWH8YSd2PgphlYnk8lGw6mSc+PMxae9B3xdskFtjwLuWvFzCy+f7KNfjru6MnGdCvW28uwojYOM5ykxsW94/J/r4qyUXsARgPjtCVgiAhFUSKcBBm9d/TLXBOs4tVK9t+LCidWwgsReJHwyqrbYprZBjaqu07lT2TF9eqIkbnv6EUJRkySTwriojKVxvuO54BSW99UL0Pa5FxsAEursTA3t7ZUqxk7F2YwtzgQzqRORNOjAF2PVENiI0j3JYkLpdRvFDsrFfnZV+hUHJpmEpCrx29N9mUD7dZIuxG7uPgT4Ei8iZnKWvQDpiDXdO0AE/bAnj4IQolN8R4/1Zd6JenzJsoxhk1pEWcVGFSAgrH84yGvy4YYtALzu9C6ZsFLKN3dQ+khuGKVjVfkb12AKj7XM7pWqoL0gJ77H3khdOFDQF90I8GDaYIwq6clS9U1GGWv2XiE/lae3+bQz/+XYt0oJ++Z2XBLoEN9YDc/6YNJlUILhINnUkjfwylJtWSilkJpPTt0ko32UvWPYKAEgq1e2wGyh7AnKnTH8mHiX/KTnZsP0pc4W+nWZont326k2EqkDW7NuzLY6/2EYeqlK4OZ1ieENOEP1mjTAzToe/ORkAygu1i0zReQGBf271hAEaeNs6PtfqJenATQ4vXxbkMFh42nwOYZstHX1tObrIRA1JW7PmCgST0CSFHRNVrWz5t1Pc8aUL8sZumYmgeuDPv2W23vpSnSQo2FGNhoTJzVKRQWopMs198iW2PnZoTfGecBqwJWh0ii3uVNrnPFRRV0hBpwZWQYO0OrS6a+weSq89YbIpVloUYAs3oMpjaZAKxu0dpNksjJ7WT54thE/ni/Ef41/tK/D5MtevE4ifgdMgKVdYne+X56VW7bSps29O/I/W2p+AY/G8/BW4cp7Wy46bd5WiJEMLyZ70IOYb5KTSiHfyosDYSMiVQ9WDrEMMgPr/o9lnyB0/zDHyRDlLTZ5gD1g2WS1CX+RwOjwoKzZBwoZ3c7weimCghZySfIZAOyM2ijT2FeEu3bJgd1Ef42LJh4Xo1sGYOFhCgYoYVO5HOpo8ghco1MmsrRuB3xhCqJKEZFZkGutBN4ULJTZ3X2NrqIfuD3oAnusJR1/cPQWL64K1YhZQxV/Wis5mtiyuErebexN7EPqsGotOXVGCw7eCVgcYS19mLYhVVYl9vmVQ5WhwlWGoIVfxO/yUYlJDm+INxgz4o1pvL4t4ahKTJf60ouwnP8Jsvr7IfklD/3mAtFVpvHB53uLqmuuYxxFLmAZS07qBLXDkTj21iB1wIAFtCDBJk81l0nHed82XZlOulEW5nkw26t8xv0mbv0vFj8IZ7ngrwUXbIxNJFrABY1YTw37UA/Ydx97hE670G3CeFAV21Pu24bgEyGCj0VPifrCv6nXGb5VwwJ4RuNPnQNxb/fuV0MK2WTeWos8Ra3GkiYsylKuFk7u675iqJX3ADMWfsJFbLaJL13htKMn4HESa
Key: x-mailer
Value: ActiveCampaign Mailer
Key: received-spf
Value: Pass (protection.outlook.com: domain of em-793876.azbex.com designates 52.128.40.27 as permitted sender) receiver=protection.outlook.com; client-ip=52.128.40.27; helo=s4.csa2.acemsa3.com; pr=C
Key: message-id
Value: <0.1.5.5B0.1DB667C04AE8D00.0@s4.csa1.acemsd5.com>
Key: authentication-results
Value: spf=pass (sender IP is 52.128.40.27) smtp.mailfrom=em-793876.azbex.com; dkim=pass (signature was verified) header.d=azbex.com;dmarc=pass action=none header.from=azbex.com;compauth=pass reason=100
Key: received
Value: by acems1.com id hgp90q395q8m for <bhuey@carollo.com>; Tue, 14 Jan 2025 12:01:17 +0000 (envelope-from <bounce-793876-1835-74-bhuey=carollo.com@em-793876.azbex.com>)
Key: feedback-id
Value: 793876:793876.1835:s4.csa2.acemsa1.com:activecampaign
Key: x-ms-exchange-crosstenant-authas
Value: Anonymous
Key: x-ms-exchange-crosstenant-originalarrivaltime
Value: 14 Jan 2025 12:01:20.3285 (UTC)
Key: content-transfer-encoding
Value: 7bit
Key: content-type
Value: multipart/alternative; boundary="_=_swift-11966694706786520d7bf421.52066470_=_"
Key: dkim-signature
Value: v=1; a=rsa-sha256; c=relaxed/relaxed; s=dk; d=acems5.com; h=To:From:Subject:Date:MIME-Version:Content-Type:Content-Transfer-Encoding: List-Unsubscribe:List-Unsubscribe-Post:Message-ID:From:To:Subject:Date; x=1736942477; bh=oHF4X7zv+C/h4iMmEjR+fLi7JNMjcSGznBrAh9eyKsM=; b=SxLfexBYctH7eLNCJf+YW4TyF8Cet+qluNjD79A2YDHsIExBlopuaiCOebAvCBiVQWl9bZiiHtsK   Ep1c29iTXILxkq20vBL5rxurqSfj9PuUy0QhMTkK6kgQyLFRqmrIJF0jlDXZWKcoRRlWdWTH34sS   IUICUNKKzk0xQDrB1uQ=
Key: x-forefront-antispam-report
Value: CIP:52.128.40.27;CTRY:US;LANG:en;SCL:-1;SRV:;IPV:NLI;SFV:SKA;H:s4.csa2.acemsa3.com;PTR:s4.csa2.acemsa3.com;CAT:NONE;SFS:(13230040)(12012899012)(4022899009)(3072899012)(2092899012)(69100299015)(1032899013)(7053199007)(5133199007)(4076899003)(2066899003)(8096899003);DIR:INB;
Key: x-ms-exchange-organization-scl
Value: -1
Key: x-microsoft-antispam
Value: BCL:3;ARA:13230040|12012899012|4022899009|3072899012|2092899012|69100299015|1032899013|7053199007|5133199007|4076899003|2066899003|8096899003;

{
  "contains_trigger_text": true,
  "trigger_text": "Back to Industrial for 6-Acre Tempe Site",
  "prominent_button_name": "START READING HERE",
  "text_input_field_labels": "unknown",
  "pdf_icon_visible": false,
  "has_visible_captcha": false,
  "has_urgent_text": false,
  "has_visible_qrcode": false,
  "contains_chinese_text": false,
  "contains_fake_security_alerts": false
}

{
  "brands": [
    "AZBEX"
  ]
}

{
    "risk_score": 3,
    "reasoning": "The provided JavaScript snippet appears to be a relatively benign script with some low-risk indicators. It primarily handles theme-based CSS loading and a close button functionality. While it uses some legacy practices like parsing query parameters manually, the overall behavior does not indicate any high-risk activities or malicious intent."
}

window.onload = function OnLoadHandler(){
	if (window.history.length <= 1) {
		document.getElementById("close").style.display = "none";
	}
}

var theme = null;
try {
  (function (URLSearchParams, str) {
    if (!new URLSearchParams(window.location.search).get(str)){
		throw URLSearchParams;
	}
		var urlParams = new URLSearchParams(window.location.search);
		if (urlParams.has(str)){
			theme = String(urlParams.get(str));
		}
  }(URLSearchParams, "theme"));
} catch(URLSearchParams){
	var params = {}
	var parts = window.location.search.substring(1).split('&');
	for (var i = 0; i < parts.length; i++) {
		var val = parts[i].split('=');
		if (!val[0]) continue;
		params[val[0]] = val[1] || true;
	}
	theme = params["theme"];	
}

// Load theme specific css
if (theme === "dark"){
	AddCSS("Safelinksv2-dark.css");
}
else if (theme === "contrast"){
	AddCSS("Safelinksv2-highcontrast.css")
}

// Add CSS based on theme
function AddCSS(fileName){
	 var ss = document.createElement("link");
     ss.type = "text/css";
     ss.rel = "stylesheet";
     ss.href = "./Content/Scripts/" + fileName;
	 document.getElementsByTagName("head")[0].appendChild(ss);
}


function CloseHover(hoverIn) {
    var closeLink = document.getElementById("closeLink");

    if (hoverIn) {	
        closeLink.style.textDecoration = "underline";
    } else {
        closeLink.style.textDecoration = "none";
    }
}

function GoBack() {
    if (window.history.length > 1) {
		window.history.back();
	}
	else {
		window.location.href="about:blank";
	}
}

{
  "contains_trigger_text": true,
  "trigger_text": "This website is classified as malicious.",
  "prominent_button_name": "unknown",
  "text_input_field_labels": "unknown",
  "pdf_icon_visible": false,
  "has_visible_captcha": false,
  "has_urgent_text": false,
  "has_visible_qrcode": false,
  "contains_chinese_text": false,
  "contains_fake_security_alerts": false
}

{
    "typosquatting": false,
    "unusual_query_string": false,
    "suspicious_tld": false,
    "ip_in_url": false,
    "long_subdomain": false,
    "malicious_keywords": false,
    "encoded_characters": false,
    "redirection": true,
    "contains_email_address": false,
    "known_domain": true,
    "brand_spoofing_attempt": false,
    "third_party_hosting": false
}

URL: https://nam10.safelinks.protection.outlook.com

{
  "brands": [
    "Carollo"
  ]
}