Jump to content

Suspicious Email from kaspersky@dach.kaspersky-mail.de


LWright
Go to solution Solved by Igor Kurzin,

Recommended Posts

I received an email from *****@*****.tld (see screenshot below; complete email address is blacked out for privacy). Can you please confirm if this is an official address? If not, is this a security issue I need to be concerned about, and are there actions I need to take?

 

1734003550_Screenshot2022-08-03175756.png.78e511becf58e54fc9aa9dfe50d92361.png

Link to comment
Share on other sites

I just got the same email only with my email address in it. Has Kaspersky been hacked? This seems strange. There's also this image:

It doesn't show as an active link but I haven't left clicked it. I copied and pasted it and it shows the web address below instead of the greyed out small image in my email.

Link to comment
Share on other sites

  • The title was changed to Suspicious Email from kaspersky@dach.kaspersky-mail.de

That doesn't really answer the original question.  I received this on an email address ONLY USED FOR KASPERSKY so how has someone matched my name to my Kaspersky email address unless there has been a leak from Kaspersky?

  • Like 1
  • Sad 1
Link to comment
Share on other sites

Paul Shanley

I have had the same email ( "Hi dear and lovely..") and have reported to Kaspersky who are investigating.

 

Like User_W the em ail was sent to an  email address that I have only given to Kaspersky. The original email has either originated from Kaspersky or they have been hacked. Can Kaspersky answer this in their reponse?

  • Sad 1
Link to comment
Share on other sites

Hello ! received same email yesterday:

 

Da: *****@*****.tld

A: ********.*****@alice.it 

  Inviato: mercoledì 3 agosto 2022 17:22

Oggetto: test

Hi dear and lovely ***** ****, your email is *****.****@alice.it

 

  • Sad 1
Link to comment
Share on other sites

simon312002

I too received an email last night at 23.40hrs (UK). Exactly the same as the others above. My email program is set not to display images automatically but otherwise all exactly as above.

VERY concerning, and we need a further statement about this, once an investigation is complete please.

  • Sad 1
Link to comment
Share on other sites

Got same problem, i ran scan to Repair Windows System Files and it found two corrupted files. Any new informations from @Danila T.? And also question is how they knew my name and email adress when iam not even signed on kaspersky application. 

  • Sad 1
Link to comment
Share on other sites

I received exactly the same email today with my full name ! VERY SUSPICIOUS ! 

Edited by pabstar26
  • Sad 1
Link to comment
Share on other sites

3 hours ago, Alexproa said:

I have the same problem

 

image.png.ca9b8a69edc5d413f78f6d6fbfe53d4a.png

 

 

The email I received was exactly like this ↑ with my email obviously. Checking the source code revealed the information listed in this post. ↓

 

 

15 hours ago, LWright said:

I received an email from *****@*****.tld (see screenshot below; complete email address is blacked out for privacy). Can you please confirm if this is an official address? If not, is this a security issue I need to be concerned about, and are there actions I need to take?

 

1734003550_Screenshot2022-08-03175756.png.78e511becf58e54fc9aa9dfe50d92361.png

 

Kaspersky Email Source Code.PNG

Link to comment
Share on other sites

I just checked my personal email versus my work email and received the same email, except this time it Listed my First and Last name, but my last name was listed first and in a weird font and color compared to the rest of the email.

Gmail also flagged that the SPF IP Passed but failed the DMARC. I highlighted those in red text.

 

EDIT: For some reason the post changed my email from @gmail.com to the *****.tld stuff in the To fields.

 

Delivered-To: *****@*****.tld
Received: by 2002:a59:cc23:0:b0:2d9:c5aa:2a98 with SMTP id i3csp96104vqv;
        Wed, 3 Aug 2022 19:48:34 -0700 (PDT)
X-Google-Smtp-Source: AA6agR6kbHSaA9shmiZy/HJcajFhdTBp2hqb45Iisla6op6xMqdIFCdrxzHRExduoUOo5+h4EzzH
X-Received: by 2002:a05:6512:3d8e:b0:48a:eff4:6b03 with SMTP id k14-20020a0565123d8e00b0048aeff46b03mr7157100lfv.49.1659581314677;
        Wed, 03 Aug 2022 19:48:34 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1659581314; cv=none;
        d=google.com; s=arc-20160816;
        b=m3h27fjvz70Fkrwq8JKJh0pvmO/dJyFb4jncS+IKvotHUJ0ez4egQOQRQXkwHXjQlF
         xcPJKDnhwNs1GsbITfSnhQMY45kZ280BKy1zOorMn8C9c/tyhVKAxF/YogXfVqGzoZAr
         csz+julaLTa/jOGw56gxCElTl1qKA3VurtAxfCEONfze4gM4WY6JH6TbGV0XYcN/Vg28
         X+3hBjYSbLz7ABPYyxbKtr8sAiaHBAJ38qXEyXSaO5Zj0Zz4Djn4/8ORmO07JCaODxjq
         789a0bv8RLtpywtYV4NoG6YeQziHYSA2TilkgqOwIzklW5lpmn2pA05QA3lSN4nExT6X
         6pPQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:list-unsubscribe-post:list-unsubscribe
         :message-id:mime-version:reply-to:to:date:subject:from;
        bh=PohKwH//vjknwkGuboIyf66VPBJu4p9Qsm4FZTkkslk=;
        b=KgoGlpPIcpGrROdyyGLGuuprQDLxE3MT7c+bALLFW5s7Z6UE4oDyHirjWllkR17+dV
         BzvfkZMeB4jXxMCjgn73RVfz87Tev4/X4QsqbfHeg3b9uXcAnKo5QYVXN+6oWPwTe/W+
         BV6pw1AJQKEHd9sZPRAm9VRb8Wgg1tlvBzj6i+sTWkxA0gVociZWQHIRmiTPqHCxTPEM
         tj9JcaUfk+WjSZVkZyzgPpxlrJLVBdhwtbpJGCh8J6VSTpb9Ol/nMEf/owc+ncXwv0jz
         vh7tR0s0CbQ5n2vpddUaNaLyCVh8Z6LJEyCgBkpyB7DGxrkFbKO+r8i7p8FGXKG/CM5w
         3FtQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of *****@*****.tld designates 192.243.244.1 as permitted sender) smtp.mailfrom=*****@*****.tld;
       dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=QUARANTINE) header.from=dach.kaspersky-mail.de
Return-Path: <*****@*****.tld>
Received: from stage.adobe-campaign.com (stage.adobe-campaign.com. [192.243.244.1])
        by mx.google.com with ESMTPS id q18-20020a2e9692000000b0025e6b1cc991si1734849lji.396.2022.08.03.19.48.34
        for <*****@*****.tld>
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Wed, 03 Aug 2022 19:48:34 -0700 (PDT)
Received-SPF: pass (google.com: domain of *****@*****.tld designates 192.243.244.1 as permitted sender) client-ip=192.243.244.1;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of *****@*****.tld designates 192.243.244.1 as permitted sender) smtp.mailfrom=*****@*****.tld;
       dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=QUARANTINE) header.from=dach.kaspersky-mail.de
From: Kaspersky <*****@*****.tld>
Subject: test
Date: Thu, 04 Aug 2022 03:48:32 +0100
To: <*****@*****.tld>
Reply-To: Kaspersky <*****@*****.tld>
MIME-Version: 1.0
X-mailer: nlserver, Build 6.7.0
Message-ID: <*****@*****.tld>
List-Unsubscribe: <https://kaspersky-mkt-stage1-m.adobe-campaign.com/webApp/kasListUnsubscribe?id=%4047x15efSSJWUFcc3ttx01g%3D%3D&list=marketing&delivery=DM157228&lang=en>
List-Unsubscribe-Post: List-Unsubscribe=One-Click
Content-Type: text/html; charset="windows-1252"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" ""><HTML><HEA=
D>=20
</HEAD>=20
<BODY>
<P>Hi dear and lovely <FONT color=3D"#008080" face=3D"Courier New" size=3D"=
2">LASTNAME</FONT> FIRSTNAME, your email is =20
*****@*****.tld</P>
<P><IMG src=3D"C:\Users\mnatsakanov\Downloads\bmw 500x500.jpg" border=3D"0"=
></P>
<P></P>
<P><FONT color=3D"#008080" face=3D"Courier New" size=3D"2"></FONT></P><img =
height=3D'0' width=3D'0' alt=3D'' src=3D'http://kaspersky-mkt-stage1-t.adob=
e-campaign.com/r/?id=3Dh373794c9,3fec827d,1'/></BODY></HTML>

 

Edited by slynn
Link to comment
Share on other sites

16 minutes ago, slynn said:

I just checked my personal email versus my work email and received the same email, except this time it Listed my First and Last name, but my last name was listed first and in a weird font and color compared to the rest of the email.

Gmail also flagged that the SPF IP Passed but failed the DMARC. I highlighted those in red text.

 

EDIT: For some reason the post changed my email from @gmail.com to the *****.tld stuff in the To fields.

 

Delivered-To: *****@*****.tld
Received: by 2002:a59:cc23:0:b0:2d9:c5aa:2a98 with SMTP id i3csp96104vqv;
        Wed, 3 Aug 2022 19:48:34 -0700 (PDT)
X-Google-Smtp-Source: AA6agR6kbHSaA9shmiZy/HJcajFhdTBp2hqb45Iisla6op6xMqdIFCdrxzHRExduoUOo5+h4EzzH
X-Received: by 2002:a05:6512:3d8e:b0:48a:eff4:6b03 with SMTP id k14-20020a0565123d8e00b0048aeff46b03mr7157100lfv.49.1659581314677;
        Wed, 03 Aug 2022 19:48:34 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1659581314; cv=none;
        d=google.com; s=arc-20160816;
        b=m3h27fjvz70Fkrwq8JKJh0pvmO/dJyFb4jncS+IKvotHUJ0ez4egQOQRQXkwHXjQlF
         xcPJKDnhwNs1GsbITfSnhQMY45kZ280BKy1zOorMn8C9c/tyhVKAxF/YogXfVqGzoZAr
         csz+julaLTa/jOGw56gxCElTl1qKA3VurtAxfCEONfze4gM4WY6JH6TbGV0XYcN/Vg28
         X+3hBjYSbLz7ABPYyxbKtr8sAiaHBAJ38qXEyXSaO5Zj0Zz4Djn4/8ORmO07JCaODxjq
         789a0bv8RLtpywtYV4NoG6YeQziHYSA2TilkgqOwIzklW5lpmn2pA05QA3lSN4nExT6X
         6pPQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:list-unsubscribe-post:list-unsubscribe
         :message-id:mime-version:reply-to:to:date:subject:from;
        bh=PohKwH//vjknwkGuboIyf66VPBJu4p9Qsm4FZTkkslk=;
        b=KgoGlpPIcpGrROdyyGLGuuprQDLxE3MT7c+bALLFW5s7Z6UE4oDyHirjWllkR17+dV
         BzvfkZMeB4jXxMCjgn73RVfz87Tev4/X4QsqbfHeg3b9uXcAnKo5QYVXN+6oWPwTe/W+
         BV6pw1AJQKEHd9sZPRAm9VRb8Wgg1tlvBzj6i+sTWkxA0gVociZWQHIRmiTPqHCxTPEM
         tj9JcaUfk+WjSZVkZyzgPpxlrJLVBdhwtbpJGCh8J6VSTpb9Ol/nMEf/owc+ncXwv0jz
         vh7tR0s0CbQ5n2vpddUaNaLyCVh8Z6LJEyCgBkpyB7DGxrkFbKO+r8i7p8FGXKG/CM5w
         3FtQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of *****@*****.tld designates 192.243.244.1 as permitted sender) smtp.mailfrom=*****@*****.tld;
       dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=QUARANTINE) header.from=dach.kaspersky-mail.de
Return-Path: <*****@*****.tld>
Received: from stage.adobe-campaign.com (stage.adobe-campaign.com. [192.243.244.1])
        by mx.google.com with ESMTPS id q18-20020a2e9692000000b0025e6b1cc991si1734849lji.396.2022.08.03.19.48.34
        for <*****@*****.tld>
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Wed, 03 Aug 2022 19:48:34 -0700 (PDT)
Received-SPF: pass (google.com: domain of *****@*****.tld designates 192.243.244.1 as permitted sender) client-ip=192.243.244.1;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of *****@*****.tld designates 192.243.244.1 as permitted sender) smtp.mailfrom=*****@*****.tld;
       dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=QUARANTINE) header.from=dach.kaspersky-mail.de
From: Kaspersky <*****@*****.tld>
Subject: test
Date: Thu, 04 Aug 2022 03:48:32 +0100
To: <*****@*****.tld>
Reply-To: Kaspersky <*****@*****.tld>
MIME-Version: 1.0
X-mailer: nlserver, Build 6.7.0
Message-ID: <*****@*****.tld>
List-Unsubscribe: <https://kaspersky-mkt-stage1-m.adobe-campaign.com/webApp/kasListUnsubscribe?id=%4047x15efSSJWUFcc3ttx01g%3D%3D&list=marketing&delivery=DM157228&lang=en>
List-Unsubscribe-Post: List-Unsubscribe=One-Click
Content-Type: text/html; charset="windows-1252"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" ""><HTML><HEA=
D>=20
</HEAD>=20
<BODY>
<P>Hi dear and lovely <FONT color=3D"#008080" face=3D"Courier New" size=3D"=
2">LASTNAME</FONT> FIRSTNAME, your email is =20
*****@*****.tld</P>
<P><IMG src=3D"C:\Users\mnatsakanov\Downloads\bmw 500x500.jpg" border=3D"0"=
></P>
<P></P>
<P><FONT color=3D"#008080" face=3D"Courier New" size=3D"2"></FONT></P><img =
height=3D'0' width=3D'0' alt=3D'' src=3D'http://kaspersky-mkt-stage1-t.adob=
e-campaign.com/r/?id=3Dh373794c9,3fec827d,1'/></BODY></HTML>

 

I figured out the *****.tld issue. The forums page removes email addresses for privacy. We have to post with images in order to preserve the emails in the source code.

Link to comment
Share on other sites

I've gotten this as well, last night from *****@*****.tld with the following filepath in it:  <C:\Users\mnatsakanov\Downloads\bmw 500x500.jpg>

Link to comment
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now



×
×
  • Create New...