Hi, This is a QR phish, and I haven't full set up zbar and ExtractText yet, but I'm hoping someone could look at this and try to identify other issues that would be helpful in blocking this.
It hit a couple of my local basic testing rules, but that's about it. X-Spam-Status: No, score=2.457 tagged_above=-200 required=5 tests=[BAYES_80=2, DMARC_MISSING=0.1, KAM_DMARC_STATUS=0.01, LOC_FROMADDR=0.01, LOC_FROMNAME=0.01, LOC_PDF_MTBODY=0.71, LOC_XORIGORG=0.01, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_SENDERSCORE_80_89=-0.4, RELAYCOUNTRY_US=0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=disabled It says that SPF failed, but SPF_PASS was hit, presumably from our connection to Microsoft, not their connection to the spammer client: Received-SPF: Fail (protection.outlook.com: domain of toppersrvs.com does not designate 35.230.39.135 as permitted sender) receiver= protection.outlook.com; client-ip=35.230.39.135; helo=[127.0.0.1]; Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=52.100.167.207; helo=nam12-mw2-obe.outbound.protection.outlook.com; envelope-from= administra...@toppersrvs.com; receiver=buckknives.com ARC also failed: ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=fail (sender ip is 35.230.39.135) smtp.rcpttodomain=buckknives.com smtp.mailfrom= toppersrvs.com; dmarc=none action=none header.from=toppersrvs.com; dkim=none (message not signed); arc=none (0) Should I also somehow be checking these SPF failures? Wouldn't this otherwise eliminate any advantage of checking SPF for any email routed through M365? The toppersrvs.com domain is still not on any blocklist. Of course I can add it to my local one, but I'm hoping for something more durable beyond just this one email. The body was empty with a PDF attachment. It's too big for pastebin. https://drive.google.com/file/d/1FzBgTKoBgRp7TWkqjWqSqqESYmCGH0G2/view?usp=sharing Any success stories with setting up zbar for QR code spam would also be appreciated :-)
