Received: from EUR03-DB5-obe.outbound.protection.outlook.com (mail-eopbgr40128.outbound.protection.outlook.com [40.107.4.128]) by anna.lesderid.net (Postfix) with ESMTP id 0139BC6736 for ; Fri, 10 Feb 2017 10:49:27 +0100 (CET) Received: from DB6PR0602MB2918.eurprd06.prod.outlook.com (10.172.250.10) by DB6PR0602MB2919.eurprd06.prod.outlook.com (10.172.250.11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.888.16; Fri, 10 Feb 2017 09:49:24 +0000 Received: from DB6PR0602MB2918.eurprd06.prod.outlook.com ([10.172.250.10]) by DB6PR0602MB2918.eurprd06.prod.outlook.com ([10.172.250.10]) with mapi id 15.01.0888.029; Fri, 10 Feb 2017 09:49:24 +0000 From: ANTONIO PANCA To: Les De Ridder CC: DS_TSOL_phishing Subject: RE: We have detected that fuwafuwa.moe is hosting a fraudulent website Thread-Topic: We have detected that fuwafuwa.moe is hosting a fraudulent website Thread-Index: AdKBbXj5DH/5oMJPRDCOSwuktEss6QAzJUlwADh90gAAGYi3IA== Date: Fri, 10 Feb 2017 09:49:24 +0000 Message-ID: References: In-Reply-To: Accept-Language: es-ES, en-US Content-Language: es-ES X-MS-Has-Attach: yes X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=antonio.panca.ext@telefonica.com; x-originating-ip: [81.40.110.204] x-ms-office365-filtering-correlation-id: c1483ed0-68ff-4f7a-b9d0-08d4519a18a9 x-ms-office365-filtering-ht: Tenant x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001)(48565401081);SRVR:DB6PR0602MB2919; x-microsoft-exchange-diagnostics: 1;DB6PR0602MB2919;7:0og0p+Rx/KP8AX7qYO4BxQGRgeu7wjVwFwZpcCXVfvfjwjrGgJ/HysQ3awY2K3JdFGuSkVfdantJpGLAJI/oyCwqRQr4v/nDjvHK/PNiLreEzVJzNj/sx6d1PQxU0LSn4TdJT94B0D2GbGKI9l7HxVYZno2RsYn1CMO3FOkwfvbgQCS3Ggq7UIpxX6RmCV6L3pwqch84HNN006zzmDrcEGO6K4eyQPIQSzmy1G32eBht3mkBYzIhZxC3rp5aOMIjjNYihiuVk6jIzAtDi4rLNJlzx5jELSheMo0BQ+9UBjJVAJTyDsoj4KWN+gh7GemWqvG28vdN0QMU57/UcijI3+tOJKu49/OVAb5ly3WD7uC4f8aM4SC8rUhdNUJuTUkeMvxEI4ibMyNgFBKyAXT281vbKj5OmHtVJXpQuPunrEL3IciCvWdjZNFUoASXQ0j7FXI92xmW+1kRvLanbRI/pXzcGSc4e0R+oQFszsei7ITBtUAICmuXaSpPdxCuHR3Q0pYrKInWJrGz2bZyuxb+aw== x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(40392960112811)(21748063052155)(231250463719595); x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(102415395)(6040375)(601004)(2401047)(5005006)(8121501046)(10201501046)(3002001)(6055026)(6041248)(20161123560025)(20161123555025)(20161123564025)(20161123562025)(20161123558025)(6072148);SRVR:DB6PR0602MB2919;BCL:0;PCL:0;RULEID:;SRVR:DB6PR0602MB2919; x-forefront-prvs: 0214EB3F68 x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(7916002)(39410400002)(39450400003)(39840400002)(39860400002)(39850400002)(504964003)(24454002)(189002)(199003)(252514010)(2900100001)(8936002)(15650500001)(1680700002)(10710500007)(6116002)(790700001)(102836003)(3846002)(4326007)(2906002)(3660700001)(8676002)(81156014)(3280700002)(2420400007)(5890100001)(81166006)(7736002)(54356999)(7906003)(50986999)(86362001)(76176999)(99936001)(189998001)(74316002)(7110500001)(92566002)(122556002)(97736004)(101416001)(106356001)(33656002)(105586002)(66066001)(6506006)(6916009)(5660300001)(110136004)(2950100002)(107886003)(6306002)(9686003)(54896002)(606005)(77096006)(229853002)(53346004)(38730400002)(236005)(53386004)(68736007)(99286003)(55016002)(53936002)(6246003)(450100001)(6436002)(25786008)(7696004)(9010500006)(18823205002)(19627235001);DIR:OUT;SFP:1102;SCL:1;SRVR:DB6PR0602MB2919;H:DB6PR0602MB2918.eurprd06.prod.outlook.com;FPR:;SPF:None;PTR:InfoNoRecords;MX:1;A:1;LANG:en; received-spf: None (protection.outlook.com: telefonica.com does not designate permitted sender hosts) spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: multipart/mixed; boundary="_004_DB6PR0602MB29180EEB4ABF86806B0E1802C9440DB6PR0602MB2918_" MIME-Version: 1.0 X-OriginatorOrg: telefonica.com X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Feb 2017 09:49:24.6081 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 9744600e-3e04-492e-baa1-25ec245c6f10 X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6PR0602MB2919 Hello, I will add the html code of the phishing site where you can see that the phisher used the reported URL`s for the phishing scam that was hosted on lainfile.pw. You can check your website lainfile.pw if you have any backup of the scam to make sure. Best regards --------------------------------------------------------------- CyberThreats - Anti-Fraud Service Telefónica España Phone: +34 900102230 (option 9) Emails: phishing@telefonica.com servicio.antifraude@telefonica.com