There were text patterns in the email which suggest an attempt to solicit the user into responding directly to the email. A high inducement score was assigned based on these patterns.

The sender of this email has no prior association on the network.

The sender fran@hamburguesarica.es has included a reply-to address cleo.rispect@hotmail.com which is different to their own. This is a freemail address with no prior association on the network. This may be an attempt to redirect replies to a covert inbox.

The text in this email was assigned a very high inducement score in the Spam category. The recipient is likely being asked to buy a product or service which they do not want.

The sender appears to be impersonating an internal user, Salma Maplewood

The email has an attachment containing a highly suspicious link to a host zeducational.co.in. The host has a 100% rarity score based on references in internal traffic.

The email contains an attachment which the system considers to be unexpected and potentially harmful, AZ.pdf.

The sender appears to be impersonating a high value internal user, daisy weathered (head of accounts)

There were text patterns in the email which suggest an attempt to solicit the user into responding directly to the email. A high inducement score was assigned based on these patterns.

There is a suspicious mismatch between the display name of this sender VDC Legal and their address <VDC_LAWYER@nobiases.com>

The email contains an attachment which the system considers to be highly unexpected, DETAILS AND INVOICES.IMG. The file contains compressed content which could potentially initiate harmful processes when unpacked on the user's device.

The sender appears to be impersonating an internal service by referencing the company domain in the subject line. This tactic allows attacks to avoid any validation checks which apply to this domain.

The email has an attachment containing a highly suspicious link to a host www.ding0izmibby[.]xyz. The host has a 100% rarity score based on references in internal traffic.

The email contains an attachment which the system considers to be highly unexpected, .HTM.. It contains javascript code which is used by attackers to enable dynamic webpage features not available in email clients.

The email is claiming to be from a popular domain citi.com but was sent from an anomalous source which could not be validated. Its true origin the the IP address 185.225.74.60 located in US. Emails from citi.com are not usually sent from the IP space 211252.

The email contains an attachment which the system considers to be highly unexpected, Payment Advice-BCS_ECS9522023032900460039_16922_952.tar.gz. The file contains compressed content which could potentially initiate harmful processes when unpacked on the user's device.

The email contains an attachment which the system considers to be highly unexpected. 🔒Direct Deposit_JPMorgan.html. It contains javascript code which is used by attackers to enable dynamic webpage features not available in email clients.

The sender of this email has no prior association on the network.

The sender is impersonating the popular web service american express in their display name. This tactic allows attackers to adopt the identity of a chosen domain while avoiding any validation checks which apply to that domain.

The email contains an attachment which the system considers to be highly unexpected, tracking. The file type text/html is one that may open by default in a web browser and bypass email client protections.

The sender is impersonating a popular web service in their display name, ups. This tactic allows attackers to adopt the identity of a chosen domain while avoiding any validation checks which apply to that domain.

The email contains a highly suspicious link to a file storage host firebasestorage.googleapis[.]com. These can be used to host malicious content on websites that appear reputable. The link was hidden from the user and masked by text reading here.

There is a lazy attempt to personalize this email by adding part of the recipient's address Lily.Kendall into the subject line.

The email contains a highly suspicious link to a file storage host storage.googleapis[.]com. These can be used to host malicious content on websites that appear reputable. The link was hidden from the user and masked by text reading Schedule your delivery. An inducement score of 63% suggests the sender is trying to induce the user into clicking.

The sender is impersonating the popular web service sharepoint in their display name. This tactic allows attackers to adopt the identity of a chosen domain
while avoiding any validation checks which apply to that domain.
‍

The email contains a highly suspicious link to a file storage host bafybeiaylac7v34xccdujkx5l4ulnwfgq7nbwxux2ntsxz2hemzo75ox3y.ipfs.dweb[.]link.
These can be used to host malicious content on websites that appear reputable. The host has a 100% rarity score based on references in internal traffic.
‍

The link was hidden from the user and masked by text reading View Document. An inducement score of 70% suggests the sender is trying to induce the user into clicking.

The sender no-reply@dropbox.com has included a reply to address bks@balema-inc.com which is different to their own. The domain in this address
balema-inc.com has no prior association on the network. This may be an attempt to redirect replies to a covert inbox.

‍
The text in this email was assigned a very high inducement score. The text is similar to Phishing emails seen previously.

The sender appears to be impersonating an internal service by referencing the company domain in the subject line. This tactic allows attacks to avoid any validation checks which apply to this domain.
‍

The email contains a highly suspicious link to a host https://www.youtube.com/attribution_link?u=http://6dg924.xyz which the system believes will redirect the user to a different destination upon clicking. The link was hidden from the user and masked by text reading Keep My Same Password.
‍

The domain 2314647839845.com was registered only 1 days ago.

The sender is impersonating an internal service by referencing the domain holdingsinc.com in their display name. This tactic allows attacks to avoid any validation checks which apply to this domain.

‍
The email contains a highly suspicious link to a file storage host fislkdjklscnjkx7sldjfksdnmk45jljkdjflksdj35ljdks|873dcljxss.ipfs.cf-ipfs[.]com,. These can be used to host malicious content on websites that appear reputable. The host has a 100% rarity score based on references in internal traffic. The link was hidden from the user and masked by text reading UPGRADE NOW. An inducement score of 70% suggests the sender is trying to induce the user into clicking.

The email contains an attachment which the system considers to be unexpected and potentially harmful, 57A89E18C76C.pdf.

The sender appears to be impersonating a high value internal user, roxanna lee loney, (Finance Director).
‍

The email contains an attachment which the system considers to be highly unexpected, Excepturi.html. It contains javascript code which is used by attackers to enable dynamic webpage features not available in email clients.
‍

Text analysis of the email suggests there may be an attempt to solicit the user into responding via a telephone call.