\!/ KyuuKazami \!/

Path : /home/kohli/mail/kohli.cards/info/new/
Upload :
Current File : /home/kohli/mail/kohli.cards/info/new/1583529044.M79557P22860.server.makingyoulive.com,S=7064,W=7195

Return-Path: <takedown-response+8620672@netcraft.com>
Delivered-To: info@kohli.cards
Received: from server.makingyoulive.com
	by server.makingyoulive.com with LMTP
	id IFVPBFS8Yl5MWQAASuaV8A
	(envelope-from <takedown-response+8620672@netcraft.com>)
	for <info@kohli.cards>; Sat, 07 Mar 2020 02:40:44 +0530
Return-path: <takedown-response+8620672@netcraft.com>
Envelope-to: info@kohli.cards
Delivery-date: Sat, 07 Mar 2020 02:40:44 +0530
Received: from mail2.netcraft.com ([52.31.138.216]:48139)
	by server.makingyoulive.com with esmtps  (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.93)
	(envelope-from <takedown-response+8620672@netcraft.com>)
	id 1jAKEz-0005yC-TF
	for info@kohli.cards; Sat, 07 Mar 2020 02:40:44 +0530
Received: from barbel.netcraft.com (unknown [10.8.0.252])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mail2.netcraft.com (Postfix) with ESMTPS id 98A6B30EF5D
	for <info@kohli.cards>; Fri,  6 Mar 2020 21:10:39 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 mail2.netcraft.com 98A6B30EF5D
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netcraft.com;
	s=default; t=1583529039;
	bh=/bXnfR6cowRAA5Xho1cUp27ZuTV0nQ5kQrqTjebgeEc=;
	h=Date:From:Subject:To:From;
	b=0NzC/NS7d5JJwPqIthEqNQ6ez6icV44TWLwV85mJfRwZtiEZb/Cg5ZURxeX/2Tx5H
	 3bDoA1Zh91n7ZE5JKWO3sF8gA1CDlK+jWa627LPweecU0ToCqpY3Trc9JSbWiBEonc
	 dlYS6cURrQ/VCHLWM/NkkjrybuDrsdrcEP4/1Znc=
Received: by barbel.netcraft.com (Postfix, from userid 507)
	id 96DA6319374; Fri,  6 Mar 2020 21:10:39 +0000 (GMT)
Content-Transfer-Encoding: 7bit
Content-Type: multipart/mixed; boundary="_----------=_1583529039391626"
MIME-Version: 1.0
Date: Fri, 6 Mar 2020 21:10:39 +0000
From: Netcraft Takedown Service <takedown-response+8620672@netcraft.com>
Subject: Re: Issue 8620672: phishing attack at hxxps://www.kohli[.]cards/pack/Adobe-Document.html?_encoding=UTF8&9f507ab904f8c334dcaae8b7df7a5bb6&ignoreAuthState=1&openid.assoc_handle=usflex&openid.claimed_id=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.identity=1.0&openid.pape.max_auth_age=
To: info@kohli.cards
Message-Id: <ef175007646aa1529649fb9de0c80988@takedown.netcraft.com>
Auto-Submitted: auto-generated
X-Xarf: PLAIN
X-Arf: yes
X-Mailer: MIME::Lite 3.030 (F2.84; T1.38; A2.18; B3.13; Q3.13)
X-Spam-Status: No, score=1.8
X-Spam-Score: 18
X-Spam-Bar: +
X-Ham-Report: Spam detection software, running on the system "server.makingyoulive.com",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 root\@localhost for details.
 Content preview:  Hello, We have discovered a phishing attack located on your
    network: hxxps://www.kohli[.]cards/sets/Adobe-Document.html?_encoding=UTF8&2b778a65173a40ec024c2f7e18b9bd5b&ignoreAuthState=1&openid.assoc_handle=usflex&openid.claimed_id=http%3A%2F%2Fspecs.openid.net%2Fauth%2
    [...] 
 Content analysis details:   (1.8 points, 5.0 required)
  pts rule name              description
 ---- ---------------------- --------------------------------------------------
  0.1 DKIM_SIGNED            Message has a DKIM or DK signature, not necessarily
                             valid
 -0.1 DKIM_VALID_EF          Message has a valid DKIM or DK signature from
                             envelope-from domain
 -0.1 DKIM_VALID_AU          Message has a valid DKIM or DK signature from
                             author's domain
 -0.1 DKIM_VALID             Message has at least one valid DKIM or DK signature
  2.0 RDNS_NONE              Delivered to internal network by a host with no rDNS
X-Spam-Flag: NO

This is a multi-part message in MIME format.

--_----------=_1583529039391626
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="UTF-8"

Hello,

We have discovered a phishing attack located on your network:

hxxps://www.kohli[.]cards/sets/Adobe-Document.html?_encoding=UTF8&2b778a65173a40ec024c2f7e18b9bd5b&ignoreAuthState=1&openid.assoc_handle=usflex&openid.claimed_id=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.identity=1.0&openid.pape.max_auth_age= [52.26.37.44]
hxxps://www.kohli[.]cards/pack/Adobe-Document.html?_encoding=UTF8&9f507ab904f8c334dcaae8b7df7a5bb6&ignoreAuthState=1&openid.assoc_handle=usflex&openid.claimed_id=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.identity=1.0&openid.pape.max_auth_age= [52.26.37.44]

We believe that this attack is being restricted so it is only visible from certain countries. Before deciding that the attack has been resolved please confirm it cannot be viewed from the following countries:
Germany
We previously contacted you about this issue on 2020-03-06 20:08:32 (UTC).
Since our last notification, the following additional URL(s) have been detected:

hxxps://www.kohli[.]cards/sets/Adobe-Document.html?_encoding=UTF8&2b778a65173a40ec024c2f7e18b9bd5b&ignoreAuthState=1&openid.assoc_handle=usflex&openid.claimed_id=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.identity=1.0&openid.pape.max_auth_age=

You may not have been aware of this attack, however, you are still responsible for removing it.

This attack targets our customer, Microsoft, website URL https://www.microsoft.com/.

Please remove this fraudulent content, and any other associated fraudulent content, as soon as possible.

Additionally, please keep the fraudulent content safe so that our customer and law enforcement agencies can investigate this incident further once the site is offline.

More information about the detected issue is provided at  https://incident.netcraft.com/4cbe9373087c/

Kind regards,

Netcraft

Phone: +44(0)1225 447500
Fax: +44(0)1225 448600
Netcraft Issue Number: 8620672

To contact us about updates regarding this attack, please respond to this email. Please note: replies to this address will be logged, but aren't always read. If you believe you have received this email in error, or you require further support, please contact: takedown@netcraft.com.

This mail can be parsed with x-arf tools. Visit http://www.xarf.org/ for more information about x-arf.
--_----------=_1583529039391626
Content-Disposition: attachment; filename="report.txt"
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset=utf-8; name="report.txt"; name="report.txt"

---
Attachment: none
Category: fraud
Date: 2020-03-06T20:57:48+00:00
Domain: kohli.cards
Port: 443
Report-ID: takedown-response+8620672@netcraft.com
Report-Type: phishing
Reported-From: takedown@netcraft.com
Schema-URL: http://www.xarf.org/schema/fraud_0.1.4.json
Service: https
Source: https://www.kohli.cards/pack/Adobe-Document.html?_encoding=UTF8&9f507ab904f8c334dcaae8b7df7a5bb6&ignoreAuthState=1&openid.assoc_handle=usflex&openid.claimed_id=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.identity=1.0&openid.pape.max_auth_age=
Source-Type: uri
User-Agent: Netcraft Takedown

--_----------=_1583529039391626--

@KyuuKazami