I got a copy of the actual message from Alex; it's a classic case of BEC
(Business Email Compromise).
The sender's email account was compromised due to being successfully
phished or similarly via session hijacking (evilginx).
TA then used the credentials and/or hijacked session to send email
I guess that brings up another question that's unclear - was this
message from the org's Mimecast actually determined to be malicious?
Based on the information available, it just sounds like someone at the
organization sent Alex a (valid?) encrypted attachment from their Secure
Messaging portal
I was also wondering if it was something like this... See the header below.
The spoofed domain was modified and replaced with 'example.com'.
Delivered-To: a...@theshcompany.com
Received: by 2002:a05:6020:ac0d:b0:310:9e0c:1a53 with SMTP id
nx13csp334454wdb;
Wed, 4 Dec 2024 07:35:3
I'd love to see redacted headers. I wonder if it's similar to the
Proofpoint bypass that was in the news a few cycles ago where any 365
tenant can email through companies that have PFPT setup.
On 12/6/24 1:43 PM, Alex Shakhov | SH Consulting via mailop wrote:
Hello, a few months ago, I was aske
On 12/6/2024 6:43 AM, Alex Shakhov | SH Consulting via mailop wrote:
Hello, a few months ago, I was asked to audit emails and integrate a
new system for a company. The first thing I did was configure DMARC
reporting (replaced v=DMARC1; p=none;) and after two months of
analyzing their email tra
