Phishing Email

[uriarteuno]

I provide cybersecurity services to a client and noticed today that our client received phishing emails coming from a church address. The email was pretending to be an Outlook alert indicating that the user's password had expired. It contained a link to a malicious site. We got the email yesterday July 9, at 1:00 AM EDT with the subject line "Microsoft account security code". Contact me if you want to know the sender's email address.

Thank you,

A Uriarte

[scgallafent]

It's likely that the message was forged.

[uriarteuno]

While email forgery is always a possibility, our email header analysis indicates that the email truly came from the Church's email system. The email not only passed SPF but also DKIM and DMARC which are a lot harder to manipulate. For these reasons I am inclined to think that one of the church's email accounts was compromised and used to send these phishing emails. Here is an excerpt of the headers:

Authentication-Results-Original:

spf=pass (sender IP is 40.107.236.66) smtp.mailfrom=ChurchofJesusChrist.org; opic.gov; dkim=pass (signature was verified) header.d=ChurchofJesusChrist.org;opic.gov; dmarc=pass action=none header.from=churchofjesuschrist.org;compauth=pass reason=100

Received-SPF:

Pass (protection.outlook.com: domain of ChurchofJesusChrist.org designates 40.107.236.66 as permitted sender) receiver=protection.outlook.com; client-ip=40.107.236.66; helo=NAM11-BN8-obe.outbound.protection.outlook.com;

Is this the best way for me to reach out to the church's cybersecurity team? I will be happy to share particulars regarding the account that sent the email but I don't want to do it in a public forum.

Thank you,

A Uriarte

[Mikerowaved]

You can contact the Church’s Intellectual Property Office directly at:

Phone: 1-801-240-3959 or 1-800-453-3860, ext. 2-3959
Fax: 1-801-240-1187
Email: cor-intellectualproperty@ChurchofJesusChrist.org

I'm sure they can hook you up with the right people.

[scgallafent]

I sent you a private message.

[NixonJL]

Did you ever get a response from the church tech team? I just came across this thread and may have some input. Although the data may be too old at this point, yet if you still have the message headers I may be able to provide some value.

[larry19810]

Today, I got a similar official looking email with enough to make me suspicious. Title: " Church Account: Password Expiration Reminder". I don't know enough about validation to know for sure. Would it be helpful for someone in Church Security to look at this message. Otherwise, I will just delete it.

[russellhltn]

Today, I got a similar official looking email with enough to make me suspicious. Title: " Church Account: Password Expiration Reminder". I don't know enough about validation to know for sure.

Please note that some positions require the Church Account password to be changed parodically. This includes church employees and seminary teachers. In some cases, this may persist after release. Failure to update the password will result in a lockout.

You can check by going to account.churchofjesuschrist.org and see if you have a "workforce" tab. If you have Workforce, you have to change the password periodically. You can change your password on that page.

[larry19810]

Instead of responding to the email, I logged onto my Church account but did not get a password update notification. That was part of my suspicion. I thought if it was real, I would get a similar warning when I logged in directly. I am not a church or Seminary employee. Just a member with a calling.

[russellhltn]

Instead of responding to the email, I logged onto my Church account but did not get a password update notification.

Good idea. However, I'm not sure if the system will warn you when you log in. I've not been in a position that required that, so I don't have any first hand experience.