Recently, a new type of scam email has been detected that lures the victim to call a fake custom support number. Once the victim calls this phone number, the perpetrator convinces them to install malicious software on their computer to eventually extort money. This page analyzes how this scam works and what you can do to block such emails.
Before discussing the nitty-gritty details of formulating the attack, let's identify the actors involved.
Next, let's analyze a sequence of events.
The following screenshot displays a sample email.
Notice a few characteristics of this sample:
Legitimate companies: PayPal and Microsoft generate and forward these fake invoices. In other words, technologies like DKIM, SPF, and DMARC will always pass since the messages originate from authorized servers.
The victim will receive this email from a valid account hosted on Microsoft. In the example above, the domain name cismlk.onmicrosoft.com contains the following SPF record:
v=spf1 include:spf.protection.outlook.com -all
Therefore, every message originating from a Microsoft server will be considered legitimate.
The scammers are smart enough not to change the content of the email, which could invalidate a DKIM signature. The DKIM signature for the example email above is set to the following value:
DKIM-Signature: v=1; a=rsa-sha256; d=paypal.com; s=pp-dkim1; c=relaxed/relaxed; q=dns/txt; i=@paypal.com; t=1732632029; h=From:From:Subject:Date:To:MIME-Version:Content-Type; bh=QS5nBV4tfjKpf8OaUAUxN3X3cAmNxcFu9VLTdyUD2b0=; b=g42RaHAgufIHGSmMwns1D3rHp1aqbEYK9om7CUOWOIVf9CGX0eGufBlSyZ+C0gGz ukX/Y/BoVCOHDDPqRUHZq1TF0ekRpbrcyqtyv8VOYjRgyS+eL4snrfYGsqE7AyA4 kp5StyO3zkkgsFL6eaGzPXxouQlHWpcuTkS33hH8nMkl7v/oQcjBjFKQPBwgrLBw 3bEg4gpCj1y4jMLdiXephJpSJovc51ymRAUEoT4Gfthj2BJxqdNWTmugNiB3YdW2 r6g2QIF6XRVCCGn0d2jfip8BoFbxZHLcVCoAcci9DyqEace7JtDGWB8m8cgZN1LP eNlXaXDX+uhJn4wPZ7u5jQ==;
This is a valid DKIM signature for any message originating from PayPal. Therefore, the victim's spam filter will treat it as legit.
Since the conventional methods of validating an email fail, you must use the unconventional content filtering methods available in Xeams.
Add a Header Filtering using the following steps:
The recipient's email address appears in the BCC field. Shared email addresses, such as sales@yourcompany.com or support@yourcompany.com, seldom receive emails with the recipient in BCC. In such cases, you consider adding the following rule.