Select Page

For more phishing samples, see my phishy email collection.

Fake Amazon documents may be one of the most common phishing attacks. Timing is everything. Maybe you ordered something big from Amazon a couple days ago and you’re expecting a shipping confirmation. And then this shows up in your inbox.

It’s a pretty good forgery. The embedded link even points to where it claims to point. But the attachment is an Excel macro, not a spreadsheet. And upon further review, why would any shipper send a spreadsheet instead of a PDF? Which would still be suspicious. I’ll give this a B+.

Just because we can, let’s see what the email header looks like below the screenshot.

Relevant Portion of the Email Header and Whois Info

Received: from [] ( by
mail2016.infrasupport.local ( with Microsoft SMTP Server id
15.1.1531.3 via Frontend Transport; Wed, 28 Oct 2020 05:34:42 -0500
Received: from [] (
by with ESMTPA
id 8NfRH-Pqc05F-gH
for; Wed, 28 Oct 2020 12:34:41 +0200

So, somebody impersonating Intuit at IP Address relayed this through on its way to me. Let’s use a whois lookup to find out more.

A whois lookup shows IP Address is in Taiwan. And another whois lookup for IP Address shows it’s in Bulgaria. Which means, a phisher in Taiwan composed a fake Amazon email and relayed it through Bulgaria to me, in Minnesota, USA. And probably a zillion other people.

This is what we mean when we say the internet is global.