[AusNOG] Bigpond email abuse

Wed Jun 2 15:36:41 EST 2021

Working in healthcare and I've seen a huge uptick in phishing emails like these, they're frustratingly difficult to filter out.

They follow the general format of a reply, although I do notice they strip the message info block in the top email in the chain, presumably this is so people don't notice the date on the old email thread.

Jett Jackson
Hosting and Automation Lead

E   Jett at LUMITY.com.au
T   1300 LUMITY (1300 586 489)
W  www.LUMITY.com.au
A   PO BOX 4089 | Success, WA 6964

-----Original Message-----
From: AusNOG <ausnog-bounces at lists.ausnog.net> On Behalf Of James Williamson
Sent: 2 June 2021 1:03 PM
To: ausnog at lists.ausnog.net
Subject: [AusNOG] Bigpond email abuse

Hi All,

We saw an external user a few months ago who had their Bigpond address compromised, and the entire mailbox dumped. Afterwards, they discovered friends and colleagues are receiving replies to years-old threads (although the new message is from a random email address), usually with some sort of phishing link. Now we've seen it again with a second and unrelated Bigpond user.

Has anybody seen anything similar before? I'm not familiar with this breed of spam, and to see two of them from the same host has my curiosity up a bit. Trying to find other cases like this eluded my Google-fu.

[example, redactions mine]
From: Robyn ******* <Robyn*********@anetafons.pl>
Sent: Friday, 21 May 2021 2:32 AM
To: Allison ******* <Allison.******@******.au>
Subject: Re: RE: ********

--EMAIL FROM EXTERNAL ADDRESS, CHECK LINKS & ATTACHMENTS BEFORE CLICKING OR OPENING THEM--

Good afternoon,
It's Robyn *******. Please look at the report and deal with any problems. Here is the document link:
https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2F1drv.ms%2Fu%2Fs!*******%3Fe%3Dysj***&data=04%7C01%7Cjett%40lumity.com.au%7C182a25cc8120451ff00008d92583dfab%7C7a9a5d2e2e474e409f91ebb62bb590e9%7C0%7C0%7C637582070598594551%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Y%2BI5oR8jPr9z%2FFBSVBgx6UbGEuD4K4ThSFacfDjVi%2F0%3D&reserved=0
password: 5214 

On 2018-12-07 15:34, Allison ******** wrote:
Hi Allison

Thanks so much for your time in showing me around **** recently. I was really  impressed with your knowledge of the programs and facilities, and the ***** in general.
(snip)
[end example]

Cheers,
James
_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net
https://aus01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.ausnog.net%2Fmailman%2Flistinfo%2Fausnog&data=04%7C01%7Cjett%40lumity.com.au%7C182a25cc8120451ff00008d92583dfab%7C7a9a5d2e2e474e409f91ebb62bb590e9%7C0%7C0%7C637582070598594551%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=y5tOABGRcdnKLN82OHgw2jc5bB2U0YnZs12Wp1qJgCI%3D&reserved=0