For more phishing samples, see my phishy email collection.
This is a great phishing attack, designed to look like a routine invoice. No doubt, the attached spreadsheet includes a nasty surprise. Don’t fall for it. I give this one an A-. Ya never know what you might find when chasing email headers. This one came from the US Department of Defense and routed through Armenia.
Details below the screenshot.
Relevant portion of the email header
To look at the email header in Outlook, click File…Properties. Email headers have a treasure-trove of routing and diagnostic information.
Received: from 188.8.131.52 by
mail2016.infrasupport.local (10.10.10.14) with Microsoft SMTP Server id
15.1.1531.3 via Frontend Transport; Mon, 26 Oct 2020 12:50:22 -0500
Received: from LYEIDOP.smtprelay.gslb.es.oneadp.com (LYEIDOP.smtprelay.gslb.es.oneadp.com
[184.108.40.206]) by with SMTP id
3fb06ys5gfgrutt.4.20201026215022; Mon, 26 Oct 2020 21:50:22 +0400
Subject: ADP Payroll Invoice(s) 26-OCT-2020: 374166618
Date: Mon, 26 Oct 2020 21:50:22 +0400
This one claimed to start inside ADP and relay through an intermediate server. But a whois lookup on IP Address 220.127.116.11 shows it really came from the United States Department of Defense. Gulp – let that sink in.
Yep, Apparently, somebody compromised a government computer, forged a fake name to impersonate ADP, and used it to ensnare gullible businesses. Our tax dollars at work. Here is the entire whois output.
I generated this with the linux whois command. Whois information is also available by querying the whois website.
What about the intermediate relay server? As long as we’ve gone to the trouble, may as well check it out too. First, a whois lookup for IP Address 18.104.22.168. This just keeps getting better. The intermediate relay server is in Armenia. Here is the complete whois output.
[root@www ~]# whois 22.214.171.124 [Querying whois.ripe.net] [whois.ripe.net] % This is the RIPE Database query service. % The objects are in RPSL format. % % The RIPE Database is subject to Terms and Conditions. % See http://www.ripe.net/db/support/db-terms-conditions.pdf % Note: this output has been filtered. % To receive output for a database update, use the "-B" flag. % Information related to '126.96.36.199 - 188.8.131.52' % Abuse contact for '184.108.40.206 - 220.127.116.11' is 'email@example.com' inetnum: 18.104.22.168 - 22.214.171.124 netname: AM-ARMENTEL-20100122 country: AM org: ORG-ATCh1-RIPE admin-c: ANOD1-RIPE tech-c: ANOD1-RIPE status: ALLOCATED PA mnt-by: RIPE-NCC-HM-MNT mnt-by: ARMENTEL-MNT mnt-routes: ARMENTEL-MNT created: 2010-01-22T15:00:00Z last-modified: 2016-09-22T11:29:34Z source: RIPE # Filtered organisation: ORG-ATCh1-RIPE org-name: VEON Armenia CJSC org-type: LIR address: 2 Aharonian street address: 0014 address: Yerevan address: ARMENIA phone: +37410289787 fax-no: +37410289770 abuse-c: AR14046-RIPE admin-c: AA5090-RIPE admin-c: AH5263-RIPE mnt-ref: ARMENTEL-MNT mnt-ref: RIPE-NCC-HM-MNT mnt-by: RIPE-NCC-HM-MNT mnt-by: ARMENTEL-MNT created: 2004-04-17T10:58:03Z last-modified: 2018-01-15T09:30:05Z source: RIPE # Filtered role: Armentel Network Operational Division role address: 24/1 Azatoutyan Ave. address: Yerevan 0014 address: Republic of Armenia abuse-mailbox: firstname.lastname@example.org admin-c: AA5090-RIPE tech-c: AA5090-RIPE nic-hdl: ANOD1-RIPE created: 2010-01-18T09:02:39Z last-modified: 2016-04-05T12:05:03Z mnt-by: RIPE-NCC-LOCKED-MNT source: RIPE # Filtered % Information related to '126.96.36.199/22AS12297' route: 188.8.131.52/22 descr: "VEON Armenia" CJSC origin: AS12297 mnt-by: ARMENTEL-MNT created: 2020-05-22T12:53:14Z last-modified: 2020-05-22T13:10:59Z source: RIPE % This query was served by the RIPE Database Query Service version 1.98 (ANGUS) [root@www ~]#