Greg Troxel wrote:
One of my users got mail that really looks like a phish. They are unaware of having an adobe account. It is DKIM signed, but looks a bit spammy in terms of the content (low-quality HTML markup, missing text/plain content).
... How much otherwise legitimate mail have you inspected recently? Grotty HTML and missing text/plain is here to stay. :(
Is anyone else seeing this? Opinions on if it's real, if adobe is compromised, or ?
Looks legit to me, notwithstanding whatever your user recalls. It's an Adobe IP (doublechecked WHOIS, but the fcRDNS is pretty solid evidence), it passed DKIM, and there's no funny business with the From:/envelope. They've pointlessly encoded the Subject: but that seems to be a Thing because Reasons, and IME not any particular indication of anything.
The decoded Subject: might provide more of a hint to whatever Adobe-borged software the user actually had an account for.
-kgd
