Phishing emails have started using legitimate ‘From:’ and ‘Reply To:’ addresses in an attempt to bypass SPAM filtering and enhance the illusion of legitimacy. Meanwhile, the body of the email contains one or more payload links to a SPAM/malware/phishing webpage.
In this case, a Best Buy phishing email made it to my inbox using “info@bestbuy.com” as the From address, “noreply@bestbuy.com” as the Reply To address and emailmongo[dot]com/… as the “OPEN NOW” link.
I’ve already forwarded this to abuse@bestbuy.com. I also read a previous response on this type of issue “Email supposedly from my bank-train?” which suggests training the spam email as spam and a legitimate one as good. In this case, it sounds like SpamSieve will put info@bestbuy.com and noreply@bestbuy.com on the block list but also learn that not all email with those addresses are spam.
Followup questions: Is SpamSieve aware of links in the body of emails and do those get added to it’s filtering rules? For example, will the domain emailmongo[dot]com get flagged as spam? Also, will the root domain get blocked or only the full URL containing the long string of random alphanumeric characters get blocked?
Last question: Would it be better to just create an Outlook rule that marks any email containing emailmongo[dot]com in the body as spam?