For more phishing samples, see my phishy email collection.
Fake Amazon documents may be one of the most common phishing attacks. Timing is everything. Maybe you ordered something big from Amazon a couple days ago and you’re expecting a shipping confirmation. And then this shows up in your inbox.
It’s a pretty good forgery. The embedded link even points to where it claims to point. But the attachment is an Excel macro, not a spreadsheet. And upon further review, why would any shipper send a spreadsheet instead of a PDF? Which would still be suspicious. I’ll give this a B+.
Just because we can, let’s see what the email header looks like below the screenshot.
Relevant Portion of the Email Header and Whois Info
. . . Received: from 220.127.116.11 by mail2016.infrasupport.local (10.10.10.14) with Microsoft SMTP Server id 15.1.1531.3 via Frontend Transport; Wed, 28 Oct 2020 05:34:42 -0500 Received: from 18.104.22.168 by with ESMTPA id 8NfRH-Pqc05F-gH for firstname.lastname@example.org; Wed, 28 Oct 2020 12:34:41 +0200 . . .
So, somebody at IP Address 22.214.171.124 relayed this through 126.96.36.199 on its way to me. Let’s use a whois lookup to find out more.
A whois lookup shows IP Address 188.8.131.52 is in Taiwan. And another whois lookup for IP Address 184.108.40.206 shows it’s in Bulgaria. Which means, a phisher in Taiwan composed a fake Amazon email and relayed it through Bulgaria to me, in Minnesota, USA. And probably a zillion other people.
This is what we mean when we say the internet is global.