Hello and welcome to the Tuesday, May 16, 2023 edition of the Sandton and Storm Center's

Stormcast. My name is Johannes Ulrich and today I'm recording from Jacksonville, Florida.

For about four months now, Jan has been tracking some interesting emails that claim to come from Facebook.

Of course, they're not from Facebook.

They're essentially phishing emails with a couple sort of interesting artifacts.

First of all, the from address is just the string Facebook, not a valid email address, just essentially the name.

Now, typically, you do have a name and an email address, but here the email address part is

just left blank. Maybe this is supposed to help with some of the sort of de-kim SPF-like filters.

Then the links are also a little bit odd in that many of the links are mail-to-links.

So if the user clicks on them, they're not being sent to a particular webpage instead.

The email client opens a new window and then attempts to send an email.

Of course, the user still has to actually send the email.

The email is not sent automatically.

Could be where the attacker is maybe trying to sort of communicate with the victim here,

maybe hoping the victim would ask for help.

And then, of course, the attacker would like to supply that help.

But what's for the most interesting part of this otherwise,

not really not super remarkable phishing email,

is that the attacker apparently just copy-pasteed a lot of the content

from an actual Facebook email.

Of course, that makes the email more plausible, makes it easier

to actually have the right layout and everything.

...