A client who uses Xtramail has recently received half a dozen emails with a display name of a mutual contact. The mutual contact has a Gmail account and I haven't received anything dodgy related to the mutual contact.
I speculate that either:
1. The mutual contact's gmail account or other data has been compromised allowing the scammer(s) to obtain his email contact list. I.e. My client's Xtramail account has not been hacked.
2. The client's Xtramail account has been hacked.
Are there any clues in the email header / properties?
Is it possible to identify which ISPs, domains, etc are being used by the scammer from the email properties?
(client and mutual contact details removed for privacy reasons)
Email (as seen by client when email is opened)
From: [MUTUAL CONTACT NAME] <ts-1515@thestudylecole.edu.in>
Subject: Fwd: Message from [MUTUAL CONTACT NAME]
Message body text:
-----Original Message-----
Should have emailed them a little earlier - anyway here are these photos
now: http://www.tztvl.rteprro.com/
**********************
Header / Properties:
Received: from IND01-BMX-obe.outbound.protection.outlook.com ([40.107.239.129])
by mx.xtra.co.nz with ESMTP (using TLSv1.2
with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
id 63A5E5C2-98D12344@mta2301; Fri, 23 Dec 2022 17:30:43 +0000
Received: from xtra.co.nz ([10.23.30.21])
by 10.23.30.101 with LMTP
id IK/ZKcPlpWNoOAAAxkc+lQ:T4
(envelope-from <TS-1515@thestudylecole.edu.in>); Fri, 23 Dec 2022 17:30:43 +0000
Received: from PN3P287MB0129.INDP287.PROD.OUTLOOK.COM
([fe80::6539:120a:d6ae:6d82]) by PN3P287MB0129.INDP287.PROD.OUTLOOK.COM
([fe80::6539:120a:d6ae:6d82%8]) with mapi id 15.20.5924.016; Fri, 23 Dec 2022
17:30:38 +0000
Received: from PN3P287MB0129.INDP287.PROD.OUTLOOK.COM (2603:1096:c01:d8::8) by
MA0P287MB0515.INDP287.PROD.OUTLOOK.COM (2603:1096:a01:b9::5) with Microsoft
SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
15.20.5924.16; Fri, 23 Dec 2022 17:30:38 +0000
Received: from 10.23.30.101 ([10.23.30.21])
by 10.23.40.143 with LMTP
id IK/ZKcPlpWNoOAAAxkc+lQ:T4:P1
(envelope-from <TS-1515@thestudylecole.edu.in>); Fri, 23 Dec 2022 17:30:43 +0000
Received: from 10.23.40.143 ([10.23.30.21])
by 10.23.40.60 with LMTP
id IK/ZKcPlpWNoOAAAxkc+lQ:T4:P1:P1
(envelope-from <TS-1515@thestudylecole.edu.in>); Fri, 23 Dec 2022 17:30:43 +0000
Return-Path: <TS-1515@thestudylecole.edu.in>
From: "MUTUAL CONTACT NAME" <ts-1515@thestudylecole.edu.in>
To: <CLIENT NAME@xtra.co.nz>
Subject: Fwd: Message from [MUTUAL CONTACT NAME]
Date: Sat, 24 Dec 2022 06:30:36 +1300
Message-ID: <PN3P287MB0129A49EDD351EDB6471B8D4B9E99@PN3P287MB0129.INDP287.PROD.OUTLOOK.COM>
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: AdkW9EiZAlrFz3qBSNaeQTybpbHhjQ==