We have been seeing more and more of these at customer sites but the callback links are typically already in the FirstWatch sensor. Do not client on the link as it leads to some nasty infections.
Please note that we have received a second email this time with an IRS and DHL shipping notification theme. IOC's for this second email have been added below.
A look in the Jigsaw Analytic Platform show recent activity
105.8.2[.]175 - X-Originating IP
104.27.158[.]152 css.opposingviews[.]com findreviewedtreadmillss.gb[.]net https://findreviewedtreadmillss.gb[.]net/js/?vfy=[redacted] img.opposingviews[.]com mailfs[.]com odzyskiwaniedanych-gdansk[.]pl search.opposingviews[.]com uangpedia[.]com
Additional IOCS on Second Incident:
105.8.2[.]175 - Note the same X-Originating IP