This morning I received a panicked message from a friend. He received an email that his non-profit was getting sued for copyright infringement and if I could put him in touch with a good lawyer on what to do. He noted that he hadn't clicked any links yet, so I said sure, but how about you grab the plain source of the email and send that to me, so that I can check if you're not being scammed into something.
The from email address was a dkim-enabled edu.vn sub-sub-sub domain
Google let it through with a spam rating of -1.8 because dkim checked out
Their private mailserver let it through because dkim checked out
The mail was written in acceptable French (I could understand most of it and my French kinda sucks)
The "evidence" wasn't attached but linked (normal for lawyers) but went to rebrandly.com - not too normal for lawyers.
I tor-proxied curl and fetched it, after 5 redirects it came to some page that tries to script redirect to a zipfile
I downloaded the zipfile (also tor-proxied) and read it with a throwaway user
Turned out to be a rar file, so i did rar -t on it.
Contents: an .exe, a .dll and a script; i.e. this is a trojan.
Saved my friend 500k sats retainer money, in 5 minutes. Yay.
fromemail address was a dkim-enablededu.vnsub-sub-sub domainrebrandly.com- not too normal for lawyers.rar -ton it..exe, a.dlland a script; i.e. this is a trojan.