Every day we see phishing activity at our customer sites (on our sensor reports) and at Jigsaw Security. These messages typically are themed with PayPal, Microsoft or some other large company. What is surprising is that many of the messages claim to be from Microsoft, but the links in the messages are to third parties that are either trying to infect you with malware or to confirm receipt so they can send you even more unwanted advertisements.
The Jigsaw Security FirstWatch sensor is very good at validating messages based on keywords in the subject line. For instance if the message claims to be from Microsoft but has no links to any domains actually registered to Microsoft in Washington state, chances are it's not from Microsoft.
Here is an example of such a message:
As you can see there are several problems indicating that this is NOT Microsoft. Notice that the "Release to inbox" section includes some formatting errors as does the "Report as Not Junk" link. You would think that threat actors would actually test to ensure that these messages appeared correctly to the recipients but that is not usually the case. Also we often see misspellings and other issues with the messages that allow easy identification of such messages.
Indicators from this message:
157.7.184[.]16 52.187.11[.]180 excellentloundry[.]com s1.valueserver[.]jp
As you can see the mail servers and original sender are nowhere close to Microsoft.
About the Jigsaw FirstWatch mail server protection:
The Jigsaw Security FirstWatch sensor works to identify malicious message, malware and viruses by looking at content and comparing it to known threats. In addition we also have built in heuristics that identify unknown threats utilizing a proprietary scoring and method of determining the content of binaries and other items commonly used to attack end users mailboxes. Find out how you can use Jigsaw FirstWatch to protect your users on premise, in the cloud on with our endpoint protection products.