Mailing List Archive

adobe phishing?
One of my users got mail that really looks like a phish. They are
unaware of having an adobe account. It is DKIM signed, but looks a bit
spammy in terms of the content (low-quality HTML markup, missing
text/plain content).

Is anyone else seeing this?

Opinions on if it's real, if adobe is compromised, or ?



Return-Path: <camp@mail.adobe.com>
X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-14) on mail.example.com
X-Spam-Level:
X-Spam-Status: No, score=-7.3 required=1.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,HTML_IMAGE_RATIO_08,
HTML_MESSAGE,MAILING_LIST_MULTI,RCVD_IN_HOSTKARMA_W,
RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_SAFE,SPF_HELO_NONE,
SPF_PASS,TXREP shortcircuit=no autolearn=disabled version=4.0.0
X-Original-To: user@example.com
Delivered-To: user@mail.example.com
Received: from r42.mail.adobe.com (r42.mail.adobe.com [192.243.226.42])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by mail.example.com (Postfix) with ESMTPS id E7096410756
for <user@example.com>; Wed, 22 Feb 2023 11:05:08 -0500 (EST)
Authentication-Results: mail.example.com;
dkim=pass (1024-bit key) header.d=mail.adobe.com header.i=@mail.adobe.com header.b=EtgaivIv
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mail.adobe.com;
s=neolane; t=1677081908;
bh=IfJX78+kf+++BGIgmI6NTSU3ZUI1dzDwNJ5pRlW6Y+w=;
h=From:Subject:Date:To:MIME-Version:Message-ID:List-Unsubscribe:
Content-Type;
b=EtgaivIvUiNOiiVI5kpGQONOWfcAOQvbfpJrGiR0xQQvORkDfj5uVp6LH3JftKL1+
E/DIsY896w9NajMG7AOHNBrDnN6+BpBx+J0OOWy62EcdYBntSnDiifQmat0CH0p7Xg
Ozw4G3a2zZc/nJ+QRBK75/Zgg2Nyg9rF+y23gufI=
X-MSFBL: XsGvftOJ+4LnDyzV1Q3igtbyPwQxb/rf8JNpMfEpA0E=|eyJyIjoibWV0QGxleG9
ydC5jb20iLCJnIjoibWlkLnJlYWN0aXZhdGlvbl8xZDBlNjMxMS02Zjk4LTRjNWI
tOGIwZS04ZGY4MGQ1Yjc3MzkiLCJiIjoiYXdzX2Fkb2JlaW50X3Byb2Q2X21pZC5
yZWFjdGl2YXRpb25fbW9tZW50dW0xOV9tdGEwMDJfMTkyLjI0My4yMjYuNDIiLCJ
yY3B0X21ldGEiOnsgImluIjogImFkb2JlaW5fbWlkX3Byb2Q2IiwgInIiOiAibWV
0QGxleG9ydC5jb20iLCAibSI6ICItMTcyMjM2MjU0IiwgImQiOiAiNjI5NTEzOTM
iLCAiaSI6ICIiIH19
Received: from [10.139.37.161] ([10.139.37.161:12939] helo=r42.mail.adobe.com)
by momentum19.or1.cpt.adobe.net (envelope-from <camp@mail.adobe.com>)
(ecelerity 4.2.38.62370 r(:)) with ESMTP
id 97/FA-14171-43D36F36; Wed, 22 Feb 2023 08:05:08 -0800
From: "Adobe" <mail@mail.adobe.com>
Subject: =?utf-8?B?SW1wb3J0YW50IGluZm9ybWF0aW9uIGFib3V0IHlvdXIgQWRvYg==?=
=?utf-8?B?ZSBhY2NvdW50?=
Date: Wed, 22 Feb 2023 08:05:07 -0800
To: <user@example.com>
Reply-To: "Adobe" <mail@mail.adobe.com>
MIME-Version: 1.0
X-mailer: nlserver, Build 6.7.0
Message-ID: <NM6C822A64203C08FE1adobein_mid_prod6@mail.adobe.com>
List-Unsubscribe: List-Unsubscribe: <mailto: camp@mail.adobe.com?subject=unsubscribe%3CNM6C822A64203C08FE1adobein_mid_prod6@mail.adobe.com%3E>
X-CSA-Complaints: whitelist-complaints@eco.de
List-Id: <-1193003540.neolane.client.com>
Precedence: bulk
List-Unsubscribe-Post: List-Unsubscribe=One-Click
Content-Type: multipart/alternative;
charset="windows-1252";
boundary="----=_NextPart_166_5CA8CB4B.5CA8CB4B"


[SNIP]

Dear Adobe customer,<br/><br/>
We've noticed you have not logged in to your Adobe account in more =
than a year. In keeping with our policies, we are contacting you to let you=
know your Adobe ID will expire 90 days from now. If you take no action wit=
hin the next 90 days, your <a href=3D"https://t-info.mail.adobe.com/r/=3Fid=
=[RANDOM_BASE64_SUFF]" target=3D"_blank" style=3D"color:#505050; text-dec=
oration:underline;">Adobe ID</a> will no longer be valid, you will no longe=
r have access to content you may have stored on our servers and this accoun=
t will be&nbsp;closed.<br/><br/>
Your Adobe ID is: <strong style=3D"word-break:break-all;">&lt;USER@E=
XAMPLE.COM&gt;</strong>
<br/><br/>
If you would like to maintain your Adobe ID listed above, you can l=
og in now to keep it&nbsp;active.<strong></strong></strong>
Re: adobe phishing? [ In reply to ]
Greg Troxel wrote:
> One of my users got mail that really looks like a phish. They are
> unaware of having an adobe account. It is DKIM signed, but looks a bit
> spammy in terms of the content (low-quality HTML markup, missing
> text/plain content).

... How much otherwise legitimate mail have you inspected recently?

Grotty HTML and missing text/plain is here to stay. :(

> Is anyone else seeing this?
>
> Opinions on if it's real, if adobe is compromised, or ?

Looks legit to me, notwithstanding whatever your user recalls. It's an
Adobe IP (doublechecked WHOIS, but the fcRDNS is pretty solid evidence),
it passed DKIM, and there's no funny business with the From:/envelope.
They've pointlessly encoded the Subject: but that seems to be a Thing
because Reasons, and IME not any particular indication of anything.

The decoded Subject: might provide more of a hint to whatever
Adobe-borged software the user actually had an account for.

-kgd
Re: adobe phishing? [ In reply to ]
Kris Deugau wrote:

> The decoded Subject: might provide more of a hint to whatever
> Adobe-borged software the user actually had an account for.

Subject decodes to: "Important information about your Adobe account"

Erik
--
----------------------------------------------------------------------
Erik de Castro Lopo
http://www.mega-nerd.com/
Re: adobe phishing? [ In reply to ]
Kris Deugau <kdeugau@vianet.ca> writes:

> Greg Troxel wrote:
>> One of my users got mail that really looks like a phish. They are
>> unaware of having an adobe account. It is DKIM signed, but looks a bit
>> spammy in terms of the content (low-quality HTML markup, missing
>> text/plain content).
>
> ... How much otherwise legitimate mail have you inspected recently?
>
> Grotty HTML and missing text/plain is here to stay. :(

I realize that, but it's still icky.

It just seemed like 'obvious phish' from context so I thought I'd ask.

Sounds like it's as legit as Adobe is :-)