Phishing Email

Some discussions just don't fit into a well defined box. Use this forum to discuss general topics and issues revolving around the Church and the technology offerings we use and share.
uriarteuno
New Member
Posts: 2
Joined: Fri Jul 10, 2020 7:03 am

Phishing Email

Postby uriarteuno » Fri Jul 10, 2020 7:10 am

I provide cybersecurity services to a client and noticed today that our client received phishing emails coming from a church address. The email was pretending to be an Outlook alert indicating that the user's password had expired. It contained a link to a malicious site. We got the email yesterday July 9, at 1:00 AM EDT with the subject line "Microsoft account security code". Contact me if you want to know the sender's email address.

Thank you,

A Uriarte

scgallafent
Church Employee
Church Employee
Posts: 2666
Joined: Mon Feb 09, 2009 4:55 pm
Location: Riverton, Utah

Re: Phishing Email

Postby scgallafent » Fri Jul 10, 2020 8:07 am

It's likely that the message was forged.

uriarteuno
New Member
Posts: 2
Joined: Fri Jul 10, 2020 7:03 am

Re: Phishing Email

Postby uriarteuno » Mon Jul 13, 2020 8:21 am

While email forgery is always a possibility, our email header analysis indicates that the email truly came from the Church's email system. The email not only passed SPF but also DKIM and DMARC which are a lot harder to manipulate. For these reasons I am inclined to think that one of the church's email accounts was compromised and used to send these phishing emails. Here is an excerpt of the headers:

Authentication-Results-Original:

spf=pass (sender IP is 40.107.236.66) smtp.mailfrom=ChurchofJesusChrist.org; opic.gov; dkim=pass (signature was verified) header.d=ChurchofJesusChrist.org;opic.gov; dmarc=pass action=none header.from=churchofjesuschrist.org;compauth=pass reason=100

Received-SPF:

Pass (protection.outlook.com: domain of ChurchofJesusChrist.org designates 40.107.236.66 as permitted sender) receiver=protection.outlook.com; client-ip=40.107.236.66; helo=NAM11-BN8-obe.outbound.protection.outlook.com;

Is this the best way for me to reach out to the church's cybersecurity team? I will be happy to share particulars regarding the account that sent the email but I don't want to do it in a public forum.

Thank you,

A Uriarte

User avatar
Mikerowaved
Community Moderators
Posts: 4117
Joined: Sun Dec 23, 2007 12:56 am
Location: Layton, UT

Re: Phishing Email

Postby Mikerowaved » Mon Jul 13, 2020 10:31 am

You can contact the Church’s Intellectual Property Office directly at:

Phone: 1-801-240-3959 or 1-800-453-3860, ext. 2-3959
Fax: 1-801-240-1187
Email: cor-intellectualproperty@ChurchofJesusChrist.org

I'm sure they can hook you up with the right people.
So we can better help you, please edit your Profile to include your general location.

scgallafent
Church Employee
Church Employee
Posts: 2666
Joined: Mon Feb 09, 2009 4:55 pm
Location: Riverton, Utah

Re: Phishing Email

Postby scgallafent » Mon Jul 13, 2020 1:49 pm

I sent you a private message.

NixonJL
New Member
Posts: 1
Joined: Mon Dec 28, 2020 11:05 am

Re: Phishing Email

Postby NixonJL » Mon Dec 28, 2020 11:11 am

Did you ever get a response from the church tech team? I just came across this thread and may have some input. Although the data may be too old at this point, yet if you still have the message headers I may be able to provide some value.

larry19810
New Member
Posts: 29
Joined: Sun May 15, 2011 5:34 pm
Location: Pacifica CA

Re: Phishing Email

Postby larry19810 » Mon Jan 04, 2021 8:53 am

Today, I got a similar official looking email with enough to make me suspicious. Title: " Church Account: Password Expiration Reminder". I don't know enough about validation to know for sure. Would it be helpful for someone in Church Security to look at this message. Otherwise, I will just delete it.

russellhltn
Community Administrator
Posts: 30044
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Re: Phishing Email

Postby russellhltn » Mon Jan 04, 2021 10:46 am

larry19810 wrote:Today, I got a similar official looking email with enough to make me suspicious. Title: " Church Account: Password Expiration Reminder". I don't know enough about validation to know for sure.

Please note that some positions require the Church Account password to be changed parodically. This includes church employees and seminary teachers. In some cases, this may persist after release. Failure to update the password will result in a lockout.

You can check by going to account.churchofjesuschrist.org and see if you have a "workforce" tab. If you have Workforce, you have to change the password periodically. You can change your password on that page.
Have you searched the Help Center? Try doing a Google search and adding "site:churchofjesuschrist.org/help" to the search criteria.

So we can better help you, please edit your Profile to include your general location.

larry19810
New Member
Posts: 29
Joined: Sun May 15, 2011 5:34 pm
Location: Pacifica CA

Re: Phishing Email

Postby larry19810 » Mon Jan 04, 2021 12:16 pm

Instead of responding to the email, I logged onto my Church account but did not get a password update notification. That was part of my suspicion. I thought if it was real, I would get a similar warning when I logged in directly. I am not a church or Seminary employee. Just a member with a calling.

russellhltn
Community Administrator
Posts: 30044
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Re: Phishing Email

Postby russellhltn » Mon Jan 04, 2021 12:20 pm

larry19810 wrote:Instead of responding to the email, I logged onto my Church account but did not get a password update notification.

Good idea. However, I'm not sure if the system will warn you when you log in. I've not been in a position that required that, so I don't have any first hand experience.
Have you searched the Help Center? Try doing a Google search and adding "site:churchofjesuschrist.org/help" to the search criteria.

So we can better help you, please edit your Profile to include your general location.


Return to “General Discussions”

Who is online

Users browsing this forum: No registered users and 0 guests