To Any/All Email/Spam Experts

Posted on April 1, 2024 by Joe Alagna

I’m not a big user of Microsoft Teams, but I’ve been receiving emails “from them” telling me I’ve won an Apple iPhone and asking me to do a survey. If Microsoft sends these, I’m disappointed because they look very spammy. I do not click anything on them!

On the other hand, I’m pretty sure these are not from MS and that they are just spam or phishing attacks waiting for me to click something. I have read quite a lot about spam and phishing, and I know how to find and read header files. I usually look for email addresses that don’t make sense. This header file doesn’t show anything that looks like an illegitimate email address. It has me a little baffled, and I’d appreciate any insight from my friends who really understand email.

The link below goes to a text file containing the header file for this email. For those who are suspicious enough not to want even to click my link, I’ll paste the text below as well. Please tell me what I am missing. I can’t see how to tell that this header file exposes a phishing problem. I’d really like to know what I should be looking for. Thanks!

Here is a link to a text file containing the header info:

potential-spam-phishing-headerDownload

I have also pasted the same text. Any help is appreciated. Thank you!

Received: from NAM04-MW2-obe.outbound.protection.outlook.com (40.107.101.101)
by MW2NAM04FT006.mail.protection.outlook.com (10.13.31.17) with Microsoft
SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
15.20.7452.24 via Frontend Transport; Mon, 1 Apr 2024 13:16:43 +0000
Received: from MW2NAM04FT006.eop-NAM04.prod.protection.outlook.com
(2603:10b6:303:83:cafe::f3) by MW4PR04CA0107.outlook.office365.com
(2603:10b6:303:83::22) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7409.45 via Frontend
Transport; Mon, 1 Apr 2024 13:16:43 +0000
Received: from SJ0PR13CA0159.namprd13.prod.outlook.com (2603:10b6:a03:2c7::14)
by SN7PR20MB5938.namprd20.prod.outlook.com (2603:10b6:806:344::10) with
Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7409.46; Mon, 1 Apr
2024 13:16:42 +0000
Received: from teams-ntfs-email-email-processor-74bd68f56b-gbj4b
(52.146.24.90) by CO1PEPF000044F0.mail.protection.outlook.com (10.167.241.70)
with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7452.22 via Frontend
Transport; Mon, 1 Apr 2024 13:16:41 +0000
Received: from CO1PEPF000044F0.namprd05.prod.outlook.com
(2603:10b6:a03:2c7:cafe::76) by SJ0PR13CA0159.outlook.office365.com
(2603:10b6:a03:2c7::14) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7452.25 via Frontend
Transport; Mon, 1 Apr 2024 13:16:41 +0000
Received: from SA3PR12MB8809.namprd12.prod.outlook.com (2603:10b6:806:31f::20)
by SJ2PR12MB8011.namprd12.prod.outlook.com with HTTPS; Mon, 1 Apr 2024
13:16:46 +0000
Received: from MW4PR04CA0107.namprd04.prod.outlook.com (2603:10b6:303:83::22)
by SA3PR12MB8809.namprd12.prod.outlook.com (2603:10b6:806:31f::20) with
Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7409.46; Mon, 1 Apr
2024 13:16:43 +0000
From: “Microsoft Teams” [email protected]
To: [email protected]
Subject: Teams sent you a message
Date: Mon, 1 Apr 2024 06:16:41 -0700
Message-ID: 90f06c62-ab16-4955-b841-48c20eab23ee@CO1PEPF000044F0.namprd05.prod.outlook.com
MIME-Version: 1.0
Content-Type: multipart/related;
boundary=”—-=NextPart_000_0000_01DA840E.37F14BE0″ X-Mailer: Microsoft Outlook 16.0 Thread-Index: AQKMR1FsmUu7+CmH0ue7o/hdMsgbwg== Authentication-Results: spf=pass (sender IP is 40.107.101.101) smtp.mailfrom=email.teams.microsoft.com; dkim=pass (signature was verified) header.d=email.teams.microsoft.com;dmarc=pass action=none header.from=email.teams.microsoft.com;compauth=pass reason=100 X-IncomingTopHeaderMarker: OriginalChecksum:E531660B3EF07B5FEAFBC523D1769924BEDA4F058EA1A38AFCEE8EE4293BD7DB;UpperCasedChecksum:739CE12A1574DFD8FA1A5138D8A5B271A73043656C871096C06DB885EB69878B;SizeAsReceived:5905;Count:36 X-MS-Exchange-Authentication-Results: spf=none (sender IP is 52.146.24.90) smtp.mailfrom=email.teams.microsoft.com; dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=email.teams.microsoft.com; X-EOPAttributedMessage: 1 X-MS-TrafficTypeDiagnostic: CO1PEPF000044F0:EE_FirstParty-Teams-V1|SN7PR20MB5938:EE_FirstParty-Teams-V1|MW2NAM04FT006:EE|SA3PR12MB8809:EE_|SJ2PR12MB8011:EE_
X-MS-Office365-Filtering-Correlation-Id: f1009dd5-f6be-459c-feea-08dc524df9c4
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: 8Muh8U+nCk0JopAG22MVwvKKoR/QmgcWC3r6jWdxIVuuGwni8xbTGfxpTZL9AEW/v478zu5y0FOfCBse/yviRJPIPPnZF4NKuIKpAkhWucJ6VMqz91qIxKOFQQ7Taa6q52ynjVZ9r0v2CAItW0DHAh72nHCpE7D51T/8pFMhswvVybjkf/bhY6xR9eqD6h6u+w6ZEt+07BTrWNtDOIzID/5ORX571MsSWyvg8AQCKSlVO3wOMQbiykn8xEipEp4zLhXHDg4PMM5b1UiboYSZQfZTEngKfzNuhabnq6MRYBTjTr2EFm+Iw72DSkLYff/2SCzImialKjCZFSIcptk8bjqHcF5DY9uDNZXiZdky4s34ZPABSIenRovooAf6JNKwjZ9y3bYau73S8tKQQ7jYsZ9Iki23r/XZd3C3myTjdAsTzGCRtshgllZUL39g8eRZ2nKv9lQ6B9M1vm5l8pyGz47/f6vh+Chf7Nllx02cvUZkE0m3JkceVVzghocsei9Uz+e+xStM+kQ6VXq57+00JVRMNWsMyl2ktUwD8jG5h8R+EMd0J+uAEDDzdol+sKpHrk411o9hjtmLjpUba7Y5KBiyPkAxZGH+ZRHPz67issu19XRIsvMBTJm30+zOTdqeTQWGTBd+whhp7VlX1oo9UrHCAjWjdoQj1WWXbOXJL99ivNavk4AvMt1yQGtyAUVxX0bxeOouqDowbiNgeutw3Q==
X-Forefront-Antispam-Report-Untrusted: CIP:52.146.24.90;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:teams-ntfs-email-email-processor-74bd68f56b-gbj4b;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230031)(1800799015)(376005)(4143199003);DIR:OUT;SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-Original-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-Original-0: LlvooLWj9LwhDddcH1g6PUWloqLePev++FOBMRsRXIWH4mZBVdbdLm/uG5DtWVFl3fvdsaN7D9oXcu4LR9+vzw4x1ELt6LeP8JuxXOe8IzHDm5HKV+0wOerirO5KqrzQH1hQL73nfeWH/ZOlEqzm1KF86QhXEwF0lWQL8jnjkbpQZhXiUdSbw3RwCyQk6lhW1QswPdT+VX4WR0bGD17DfBu8nqQ7LE14FEpjLbS5++ZjgZeY/1D57uKyaVGJ/9Ovw4qs0V+xe3cTAB3DFt3dhH+bowtmp6Ttda5pfvntJ7Cb2J6q0HDS+O0dN9IfND2aeWWm1DLf/NWFMz8Eerxze+G0jyfiotvkXhmrjmrVkQgPP4BB0ON1ujMuMHv3oD6/UE+nTE3yO4mVNjRtN5y+Jg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN7PR20MB5938
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA3PR12MB8809
X-IncomingHeaderCount: 36
X-MS-Exchange-Organization-ExpirationStartTime: 01 Apr 2024 13:16:43.6164
(UTC)
X-MS-Exchange-Organization-ExpirationStartTimeReason: OriginalSubmit
X-MS-Exchange-Organization-ExpirationInterval: 1:00:00:00.0000000
X-MS-Exchange-Organization-ExpirationIntervalReason: OriginalSubmit
X-MS-Exchange-Organization-Network-Message-Id: f1009dd5-f6be-459c-feea-08dc524df9c4
X-EOPTenantAttributedMessage: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa:0
X-MS-Exchange-Organization-MessageDirectionality: Incoming
X-MS-Exchange-Transport-CrossTenantHeadersStripped: MW2NAM04FT006.eop-NAM04.prod.protection.outlook.com
X-MS-Exchange-Transport-CrossTenantHeadersPromoted: MW2NAM04FT006.eop-NAM04.prod.protection.outlook.com
X-MS-PublicTrafficType: Email
X-MS-Exchange-Organization-AuthSource: MW2NAM04FT006.eop-NAM04.prod.protection.outlook.com
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-UserLastLogonTime: 4/1/2024 7:35:05 AM
X-MS-Office365-Filtering-Correlation-Id-Prvs: b968cc68-0fad-4ace-2fba-08dc524df899
X-MS-Exchange-EOPDirect: true
X-Sender-IP: 40.107.101.101
X-SID-PRA: [email protected]
X-SID-Result: PASS
X-MS-Exchange-Organization-PCL: 2
X-MS-Exchange-Organization-SCL: 1
X-Microsoft-Antispam: BCL:1;
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 01 Apr 2024 13:16:43.5070
(UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: f1009dd5-f6be-459c-feea-08dc524df9c4
X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=e36bbca1-9fe2-47ad-87fe-6012ed72a406;Ip=[52.146.24.90];Helo=[teams-ntfs-email-email-processor-74bd68f56b-gbj4b]
X-MS-Exchange-CrossTenant-AuthSource: MW2NAM04FT006.eop-NAM04.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-Transport-EndToEndLatency: 00:00:03.1235671
X-MS-Exchange-Processed-By-BccFoldering: 15.20.7409.037
X-Message-Info: qZelhIiYnPkdpJxqIGk17kWX2YuH17Ueqi+sPEUol9xBT0uKOODyeAUDt1U6wxscakrHNnhN8ySxQTBo7iRUrig1QC/5EtKosHv4cbQ4rWdbhnfr1K6lAtrKMPjjSwb7aWUy/FN7Ycp2rNMrdDN5WIj60q96wjDURW6hgf5zW31ZKPbCnpPgcAwXeZxZVlFICS1w5jEXZSo=
X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0xO0Q9MTtHRD0xO1NDTD0z
X-Microsoft-Antispam-Mailbox-Delivery: ucf:0;jmr:0;ex:0;auth:1;dest:I;ENG:(5062000305)(920221119095)(90000117)(920221120095)(90010023)(91010020)(91040095)(9050020)(9100341)(944500132)(4810010)(4910033)(9575002)(10195002)(9320005)(120001);
X-Microsoft-Antispam-Message-Info: =?us-ascii?Q?bUokDnms7P0vIMDq9DqiZVWMz19OXWORF+zdnhtwivKrqr9yt75szt44YOSy?=
=?us-ascii?Q?MOISaabfpCX2n8ui/TWkxaf8xFwVlZyQfC0V2HTLT5LV/tWvlIxxKhGGQzid?=
=?us-ascii?Q?BQjzqTottnb5xnJM29vEo3y00ROCYhnddiBWs2KAXiIr10QSo4OKHwxUTI8u?=
=?us-ascii?Q?moqmLuRV7YZSSjLeJMzNVWxzz3V5tuXY/6YrzZ39dk3CXRHjoAURVL0CjWp6?=
=?us-ascii?Q?kpdFnhn+zkH6YUI7mWueueOdrlMknMqaiphjpmncC5muGXfcFFBkB3j74KYC?=
=?us-ascii?Q?juuRUzhgEkIGbX2COgSjJk4Z/sDAosmvbWvdoNs2DyEys5i4Q9tDC4YVt/45?=
=?us-ascii?Q?weBt5M7x03Get8GeyxyOcfXG+ZEOoECVap5pYHyOO/IYT5wsrDbXB/UknYZq?=
=?us-ascii?Q?uUMmhkCMjN3LstFxuU/6q8Jj2h45pYeugIU6oLRwjaC6sWY2W6wNeKDw5CDJ?=
=?us-ascii?Q?tEfML3PfEhq9NzzEmm7dH1aZuwY4jpvuiIntU+Klbc1vpvXIndydYn5AeRBj?=
=?us-ascii?Q?cSkNxcFqrRwBRybJ7/jPcE5CpDOJRDlI+ntxKIAwZKBqJ/VZBbImr0vaurqi?=
=?us-ascii?Q?ioCfN1OoXoCmAkdsUeQf3z3bNykKi9gaBC0o1FSt078cTGBcNWwOfepsSBV1?=
=?us-ascii?Q?jP2QGHp03D1QNFgZSciy7EW582nR0erOcZwudi5pmcGkTbNeyZNEuKNBukD5?=
=?us-ascii?Q?DKvdwsWSxixbvTDsD9812kcSf5ZaN6er0cp8TcoqWPXPqJsdpkg
er5fthj6p?=
=?us-ascii?Q?gdrTG94g8ZtdAeHvHrgYODU9dux5uOkawU4I731P0nA+lei4TMYFHNFmsNjn?=
=?us-ascii?Q?EyY6+qOy/VNSLvagunoGYK0k9IIcTxjN93hyytlHYAQTCVhBDyM360WNvnm1?=
=?us-ascii?Q?O5cnyWzKBOhQEVt6mwTHapuhNJSTEiwCyPc2iQBjKh9JK4Bl5yw/YO7Iytzu?=
=?us-ascii?Q?FnjmdJfc49tLVR95fyq7wz00hcnOl1aiehQaWqbD8c67JCImXiifWtseCepB?=
=?us-ascii?Q?Y0a+voCuY3iJsHVR2BIVth4xcX34EPxn7G1o0Z37C/I5V1/76rP+c3pkSbKz?=
=?us-ascii?Q?rT5P7zgi3Np6+pj8WSLq0HvPCqAx3Qy0JxoS+hMroJg58IQWVreU56+IQ9I9?=
=?us-ascii?Q?u2bKavggp+WL47UcwkBnTY1VWIz8yiVFj95lZOGg2zVZtBvaTL4nZOZCqPPL?=
=?us-ascii?Q?F+M8bPGBpgnMFZ4h+DQXpDLgUsPEPzKQtGXKqivayfm44sY8uB6gCD1Y9TWq?=
=?us-ascii?Q?J93udOCaNktQyqiqqBtcRBSlMyojKEZsQJxEmVjBYQvITW2GUdLjuHJsGRTa?=
=?us-ascii?Q?hA4FIM7ImdGy0OVjpbnlXYGiYyzMwf8XkdjBiSf2+NXnIWWan3KB6MmjfYNl?=
=?us-ascii?Q?GTj9EXvhBUt+L2kq/ODY2o3wf791Cbh+KmIQkHeHkXB3WpSuYrGtETPqr5D5?=
=?us-ascii?Q?hTAqWVxgwWwCTIVyLsW5tv9vOh8OsFtdcT7AJe4uC5TG1B5KQmiII75OKGuR?=
=?us-ascii?Q?H3IApsKeu8N5FR8PKDbB+3FLNwEm0UF5feNFM
vIYPWnuo7HTxWv7JIPexKPn?=
=?us-ascii?Q?p1oNWt9IK1MjY4Cf8xuhT/c4QNgChX2SBqZzLzI4L8/rY14mKOSypV4bc6S7?=
=?us-ascii?Q?phTuKfGEC9drJsm7dCFEQqLSAwLBaa+LcXtpVzh9541FWqjYQKqB7RZYJMFR?=
=?us-ascii?Q?Y+IWvSXH58HjJAtjxzbA61xIodMpz/OeKtgUAwFofjIylDu86OIv56TFfIHs?=
=?us-ascii?Q?QFyURQ8LYTXQB+ygiawnTCfBZG6tbg5VAXZF33eMfK8vNKd44ZPXho0+1U4n?=
=?us-ascii?Q?nHYu25oBvCY/TiboXkwlGueG0wZXu1jvUtVsvvJ1dzx8qYL/uHmlh4fg?=
Content-Language: en-us
received-spf: Pass (protection.outlook.com: domain of email.teams.microsoft.com designates 40.107.101.101 as permitted sender) receiver=protection.outlook.com; client-ip=40.107.101.101; helo=NAM04-MW2-obe.outbound.protection.outlook.com; pr=C
x-ms-exchange-organization-originalclientipaddress: 40.107.101.101
x-ms-exchange-organization-originalserveripaddress: 10.13.31.17
arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=CZi+68LUnXoxLEynOPe4Z/jZb1gqcsVM3G1u2fEnQqDcvocDGrVuFYvVNSJ/toC0dcd8pHX+2JZt0ir4TbCMUB5OHsNzik1Rgf9vM0bWj2qS7YWd9oUJyxmMpxmLTev0IzeEddCPsy5Ntu845sjB5gKM1UGviFdNyLcjiRWav7qRJ9XSOnUbQoKbaJDh1TNgLFY+OP4sh9CrNFMQh+yqCKEy4RW43vZboPEqopcL7wCVbqISCfXp0uEv4WVvaJuzBLqPd+OSw+c7BSAvXmCW0/RWyQ4Af6gwYVqkC4pblYw9DCZYo9kc+1ovpeE0cMALeoVWS6tsZeFrsYMutVrDPQ==
arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=cyqVY6usM/euVPp960TxY81RmsNJIAVpmw+gXxSrunQ=; b=h0GjlSXlC156Ovo164IvNvSzZdYTOlcvqsDFGYjqGXfx++oLS7uUBV/x8noYNREBHQF0WAbvJ6qoIsOjhCmIgsUjjLJcMJ56G2X6anElPuoCCGL41A/jlelImhEWAxQUx3fU/l5wqw23D5bOvyMXayOfqg3nzXH0BhizWrnHHOv0QOySML0t/oCN29KE2Esn245cfRLvN8s89g8mn7B5BTaRAO9S2hj6OJXl8FrHZX40qCVSL500t1pYC4DhAgzUcsUawgRbLgEba5kjUlcHFis7XbtAkj4Z3XP+P2Se3ObdXjvTQ55n1f2U+ZWwYxj27XnGRHRDgCOQi25v7pYtmA==
arc-authentication-results: i=1; mx.microsoft.com 1; spf=none; dmarc=none action=none header.from=email.teams.microsoft.com; dkim=none (message not signed); arc=none
dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=email.teams.microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=cyqVY6usM/euVPp960TxY81RmsNJIAVpmw+gXxSrunQ=; b=grrArs70D5fWlpqgsd6/vrcL8pfzs3rvFgM24pa2X9IgyHVGm7wn2/GuQvOK8IfXc9avkw5DVGbGJKmyNi8RjSEEjSUxmJZ4UTFD/9E3wac+H8qt5fdh21AiKxrJWxyvpi7metmLt+qKht0TzH1iT14xD0RRi8Hz3mH7MTzT/i0=

#

About Joe Alagna

Joe Alagna is the Director of Sales for it.com Domains LTD. He is also an independent insurance broker offering home and business insurance in southern California. He is an international expert in all aspects of the domain name business, including domain name investing, new gTLDs, registrars, and registries. Joe can be reached by phone at +1 (909) 606-9175 or via email using the contact form on this site.
This entry was posted in Uncategorized. Bookmark the permalink.