Phishing Email Sent Using Salesforce

This phish was likely sent from a compromised customer account on Salesforce. The email definitely originated from Salesforce servers and definitely links to Salesforce servers. The envelope sender of this email was (defanged) bounce-e360-0gxvy0apr7mk639rrpc1a9zq-9be2d031-1712784599529[@]bounce.400.yfeipo.mx.salesforce[.]com . The sender hostname was 9be2d031.400.yfeipo.mx[.]salesforce[.]com and the sending server IP was 155[.]226[.]208[.]49.

If the recipient clicked the link, they would be brought to Salesforce servers and automatically redirected to another site: hxxps://lpace.bradentoncc[.]store/index0.php. This domain was registered on March 31, 2024, which was 25 days before this email was sent.

Leave a Reply

Your email address will not be published. Required fields are marked *