Revise Invoice

These days, I'm receiving requests about invoices. People want to pay me but my invoice has a problem/concern.

The fact is that the invoice is a PDF document with a link to a hacker's website where you'll be asked to enter various credential. Their code may also attempt various XSS attacks or similar things.

If you get those, opening the PDF is most probably safe, but following the link is not.


Return-Path: <SRS0+0UFE=5L=hotmail.com=Jonie_Whishaw@m2osw.com>
X-Original-To: alexis@m2osw.com
Delivered-To: alexis@m2osw.com
Received: from NAM01-BN3-obe.outbound.protection.outlook.com (mail-oln040092000077.outbound.
    protection.outlook.com [40.92.0.77])
    (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits))
    (No client certificate requested)
    by m2osw.com (Postfix) with ESMTPS id CC0DE419DC
    for <alexis@m2osw.com>; Tue,  6 Jun 2017 23:54:02 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.1 m2osw.com CC0DE419DC
Authentication-Results: mail.m2osw.com; dmarc=none header.from=hotmail.com
Authentication-Results: m2osw.com;
    dkim=pass (2048-bit key; unprotected) header.d=hotmail.com header.i=@hotmail.com header.b=q7VW6Wzt;
    dkim-atps=neutral
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hotmail.com;
 s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version;
 bh=sVAHACq+byC5UOWBU4suvTcxWO9FJ9btOkvoYnKKYAY=;
 b=q7VW6WztmplhzalfPABUQG+arUHS95dThNZ4G8JPxMu36AMsQFdHIPcPR8GD4n/UyiaXIZLJ2xU4Ox5+MxdnarIMXkvPqLcPFI
 +1nYF0yX3KkPePa/HV6ZwwBRQPSpR5iFQEIZDSe5BzI7mCC3No4fx1X38ebEquPkwX04pqLNNF/gEaEz0rygKh4OvHP+jQ+Mo6qK
 x4J4hOUhENbsqoFSLMc7ip8xoaX+OF1pqGpGhZcCv4rGk1Y4K/TUcRK5VI92aKZ5UkVdK0SkUpYmLb+5OC9bc8YsGPoyFytN11Fg
 z0gmIQgBQLsl3sYrv1Y1wwgnyiyh4HbsDVTZng6RwQ7Q==
Received: from BN3NAM01FT020.eop-nam01.prod.protection.outlook.com
 (10.152.66.54) by BN3NAM01HT144.eop-nam01.prod.protection.outlook.com
 (10.152.66.134) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.1101.12; Tue, 6
 Jun 2017 23:54:01 +0000
Received: from DM3PR15MB0799.namprd15.prod.outlook.com (10.152.66.51) by
 BN3NAM01FT020.mail.protection.outlook.com (10.152.67.227) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id
 15.1.1143.11 via Frontend Transport; Tue, 6 Jun 2017 23:54:01 +0000
Received: from DM3PR15MB0799.namprd15.prod.outlook.com ([10.164.201.15]) by
 DM3PR15MB0799.namprd15.prod.outlook.com ([10.164.201.15]) with mapi id
 15.01.1143.019; Tue, 6 Jun 2017 23:54:01 +0000
From: FirstName LastName <Jonie_Whishaw@hotmail.com>
To: "alexis@m2osw.com" <alexis@m2osw.com>
Subject: Fwd: Revise Invoice
Thread-Topic: Revise Invoice
Thread-Index: AQHS3yArcSd3wLu6Z0OTY8EKy9ozBQ==
Date: Tue, 6 Jun 2017 23:54:01 +0000
Message-ID: <DM3PR15MB0799517F5B13C886BFA07B2F8CCB0@DM3PR15MB0799.namprd15.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: m2osw.com; dkim=none (message not signed)
 header.d=none;m2osw.com; dmarc=none action=none header.from=hotmail.com;
x-incomingtopheadermarker: OriginalChecksum:57327801DA7DB8F2B7D966415B6B6DCB6307F22C0FA327DED6530
   8EBAF9F6DFD;UpperCasedChecksum:DA74FBDFA4CB8BE84B79FCED3DA624A35EFDB8E86419DA5A5D4BEFB79BDC8176;
   SizeAsReceived:7006;Count:43
x-ms-exchange-messagesentrepresentingtype: 1
x-tmn: [UQMsPl7vE3oG0E/XEccxGFrmpLIsIENd]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1;BN3NAM01HT144;24:GjnJ5fAYf+QzMI1R0ATJL03eBDJFxfDdL+IET9WL+pp8
   lySZwEy/T7CmqbiZ0piMMH8Ms7w09Jm0PeHs+WcUSAcanRoyZUuzuLjHxM/M6Qc=;7:iWeI4gIE7aTVpgvCH1rnZRLFeiO
   oqKhTNwPv6AdHGAg+vF92QUeqMyShf67Qg2joJRTLTx4F6EpaV58NYkDO9chO70afr43QG5s6y1viuvoN/TNwcg+u02RZe
   SkCu24fqCtPfACDnJKkXb4NhdmfdnQaFqiJpT0pw+NbcQzk7UlwT0n7zy0D1U4DSQliI4lW72NALieRTRVVTKRsXSX/eOo
   PEkjepPF+rdrVp+QmLPpjwu6vOyAMNBvYA6Tn6VGi26j/fEjU35RdV3EJE+zy5PAa+r5ngzt4t0zWbpBjUBaVlD7YTuBMa
   TDeaowKkhtx
x-incomingheadercount: 43
x-eopattributedmessage: 0
x-forefront-antispam-report: EFV:NLI;SFV:NSPM;SFS:(7070007)(98901004);DIR:OUT;SFP:1901;SCL:1;SRVR:
   BN3NAM01HT144;H:DM3PR15MB0799.namprd15.prod.outlook.com;FPR:;SPF:None;LANG:en;
x-ms-traffictypediagnostic: BN3NAM01HT144:
x-ms-office365-filtering-correlation-id: 0e6f1059-33bb-42cb-01d6-08d4ad374cd6
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001)(201702061074)(5061506573)(5061507331)
   (1603103135)(2017031320274)(2017031324274)(2017031323274)(2017031322274)(1603101448)
   (1601125374)(1701031045);SRVR:BN3NAM01HT144;
x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(100000700101)(100105000095)(100000701101)
   (100105300095)(100000702101)(100105100095)(444000031);SRVR:BN3NAM01HT144;BCL:0;PCL:0;RULEID:
   (100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)
   (100110400095)(100000804101)(100110200095)(100000805101)(100110500095);SRVR:BN3NAM01HT144;
x-forefront-prvs: 033054F29A
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/mixed;
    boundary="_004_DM3PR15MB0799517F5B13C886BFA07B2F8CCB0DM3PR15MB0799namp_"
MIME-Version: 1.0
X-OriginatorOrg: hotmail.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Jun 2017 23:54:01.0139
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Internet
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN3NAM01HT144

Dear alexis@m2osw.com, We are ready to make the payment but seriously confused about the genuine bank details.I called your office number, but no response.Kindly Check why the two Invoice you send to us has different Bank details because we receive another bank details yesterday instructing us that this is your new bank info. We dont want any delay from our side that is why we are concern, kindly put us through in a revised invoice. Your soonest reply will be appreciated Thanks and best Regards, Captain Rogerlee.

 

(attachment is a PDF that looks like this, the View On Adobe button is a link that will ask you credential you don't want to give those guys!)

Invalid Invoice with a Link to a hacker's page