Shopify Email / SendGrid infrastructure used to send unsolicited bulk email to address sourced from ...
show moreShopify Email / SendGrid infrastructure used to send unsolicited bulk email to address sourced from dark web breach list. Second send from same merchant (Shopify ID s_6716358717, pastrymade.com) after prior unsubscribe request โ failed unsubscribe mechanism, CASL s.11 violation. Deceptive subject line uses fake "RE:" prefix and base64-encoded emotional bait term to evade filters. Preheader stuffed with Unicode hair-space + combining grapheme joiner sequences (โอ) for filter evasion. SPF/DKIM/DMARC all pass.
show less
unsolicited commercial email via Shopify Email/SendGrid, no opt-in relationship, same shared-prehead ...
show moreunsolicited commercial email via Shopify Email/SendGrid, no opt-in relationship, same shared-preheader-obfuscation template style as multiple other senders
show less
unsolicited commercial email via Amazon SES, no prior opt-in relationship, properly configured authe ...
show moreunsolicited commercial email via Amazon SES, no prior opt-in relationship, properly configured authentication does not constitute consent
show less
financial scam/affiliate fraud, fake testimonials, Google Cloud Storage redirect abuse, dark web lis ...
show morefinancial scam/affiliate fraud, fake testimonials, Google Cloud Storage redirect abuse, dark web list sourcing (username embedded in body)
show less
sextortion-pattern lure via compromised mailbox auto-forward relay; forged reply-thread; SPF softfai ...
show moresextortion-pattern lure via compromised mailbox auto-forward relay; forged reply-thread; SPF softfail/DKIM none/DMARC fail at origin
show less
Azure-hosted calendar phishing; T-Mobile brand impersonation; getsafeescape.com redirect; same sendi ...
show moreAzure-hosted calendar phishing; T-Mobile brand impersonation; getsafeescape.com redirect; same sending domain as prior State Farm phishing email; iCal METHOD:REQUEST injection
show less
Note: Azure-hosted calendar phishing; State Farm brand impersonation; getsafeescape.com redirect; iC ...
show moreNote: Azure-hosted calendar phishing; State Farm brand impersonation; getsafeescape.com redirect; iCal METHOD:REQUEST injection; fourth occurrence from Azure infrastructure in this campaign cluster
show less
Active sextortion/extortion campaign. Email received 2026-06-15
with spoofed From: (recipient's ow ...
show moreActive sextortion/extortion campaign. Email received 2026-06-15
with spoofed From: (recipient's own Hotmail address), base64-encoded
body, campaign token [IQ7M77], explicit extortion threat with 40-hour
payment demand. Return-Path: [email protected]. SPF softfail, no DKIM,
DMARC fail. Hosted on pbiaas.com (IONOS). Part of mass-mailed
extortion variant.
show less
Received: from BN9PR03MB6139.namprd03.prod.outlook.com (::1) by
BL1PR03MB6039.namprd03.prod.outloo ...
show moreReceived: from BN9PR03MB6139.namprd03.prod.outlook.com (::1) by
BL1PR03MB6039.namprd03.prod.outlook.com with HTTPS; Sun, 14 Jun 2026
14:03:59
+0000
Received: from MN2PR22CA0030.namprd22.prod.outlook.com
(2603:10b6:208:238::35)
by BN9PR03MB6139.namprd03.prod.outlook.com (2603:10b6:408:11c::6) with
Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.113.13; Sun, 14
Jun
2026 14:03:56 +0000
Received: from BL6PEPF0001AB73.namprd02.prod.outlook.com
(2603:10b6:208:238:cafe::72) by MN2PR22CA0030.outlook.office365.com
(2603:10b6:208:238::35) with Microsoft SMTP Server (version=TLS1_3,
cipher=TLS_AES_256_GCM_SHA384) id 15.21.113.17 via Frontend Transport;
Sun,
14 Jun 2026 14:03:56 +0000
Authentication-Results: spf=pass (sender IP is 20.91.133.216)
smtp.mailfrom=er77.stufftoread.com; dkim=pass (signature was verified)
header.d=er77.stufftoread.com;dmarc=pass action=none
header.from=er77.stufftoread.com;c
show less
Bitcoin sextortion/phishing campaign. Fully authenticated domain avergonzamiento.turbeis.com on Azur ...
show moreBitcoin sextortion/phishing campaign. Fully authenticated domain avergonzamiento.turbeis.com on Azure infrastructure. Base64 encoded body with invisible HTML obfuscation.
show less