[ACTION REQUEST] You have been red flagged for violating our terms

None

Upon opening the email, it was observed that the attacker attempted to impersonate a trusted brand, presenting the following email identity to the user:

amz@fareast.com.sg

None

During email path analysis, the true origin of the message was identified as the following IP address:

77.32.148.40

None

While tracing the message transmission, it was found that attackers relied on third-party infrastructure. The domain used during the SMTP handshake (HELO/EHLO) was:

hn.d.sender-sib.com

None

Based on infrastructure indicators, the attack was determined to originate from:

France

Although the email appeared legitimate, authentication checks showed the following results:

  • SPF: pass
None

DKIM: pass

None

DMARC: fail

None

Threat intelligence analysis revealed that the network typically associated with this infrastructure is:

FR-MAILINBLUE-20061213

None

While tracing bounce handling, the return domain that revealed the actual sending infrastructure was:

hn.d.sender-sib.com

Further ASN/IP intelligence confirmed that the organization associated with this infrastructure is:

Sendinblue SAS

None

For timeline reconstruction, the original arrival timestamp of the email was extracted as:

2023/12/15 12:43:28

None

During content analysis, it was discovered that attackers used a tracking/redirection layer instead of a direct malicious domain. The main domain used for this purpose was:

chdgiei.r.bh.d.sendibt3.com

None

According to MITRE ATT&CK, the phishing sub-technique used in this attack is:

Spearphishing Link

None

The impersonated organization in this campaign was identified as:

Amazon

To simulate legitimacy and urgency within the email body, the attacker used the following code:

EWK1DOOSJ982

None

MITRE ATT&CK analysis also identified the related software as:

Pony

Further investigation revealed a hidden image used to track user interaction with the email. The image path was:

https://chdgiei.r.bh.d.sendibt3.com/im/2736848/efa8fa6d687f584a84b74f518d42f2b14e8b9491f2385af03a9162e0f4bc506f.jpg

None

Additionally, a hidden GIF used for tracking user interaction was found at:

https://chdgiei.r.bh.d.sendibt3.com/im/2736848/4a8f10aadc4f0604542a2bd40dc49eafb457671a2bed5ecd3d267157e5632ae6.gif

None

The attack was mapped to MITRE ATT&CK technique:

T1566

None

Finally, the recommended mitigation strategy focusing on increasing user awareness is:

M1017

None