This phish was likely sent from a compromised customer account on Salesforce. The email definitely originated from Salesforce servers and definitely links to Salesforce servers. The envelope sender of this email was (defanged) bounce-e360-0gxvy0apr7mk639rrpc1a9zq-9be2d031-1712784599529[@]bounce.400.yfeipo.mx.salesforce[.]com . The sender hostname was 9be2d031.400.yfeipo.mx[.]salesforce[.]com and the sending server IP was 155[.]226[.]208[.]49.
If the recipient clicked the link, they would be brought to Salesforce servers and automatically redirected to another site: hxxps://lpace.bradentoncc[.]store/index0.php. This domain was registered on March 31, 2024, which was 25 days before this email was sent.