RAW HEADER VIEW
Return-Path: <support@paypaI-security-alert.com>
Delivered-To: finance-dept@university.edu
Received: from mail-relay.suspect-server.net (mail-relay.suspect-server.net [192.0.2.145])
by mx.university.edu with ESMTPS id 4a2b3c
for <finance-dept@university.edu>; Tue, 07 Nov 2025 09:14:22 -0500 (EST)
Authentication-Results: mx.university.edu;
dkim=fail reason="signature verification failed";
spf=softfail (google.com: domain of transition does not designate 192.0.2.145 as permitted sender)
From: "PayPal Security Team" <support@paypaI-security-alert.com>
To: "Finance Dept" <finance-dept@university.edu>
Subject: URGENT: Unauthorized Transaction Detected
Date: Tue, 07 Nov 2025 09:14:10 -0500
Message-ID: <20251107141410.1A2B3C4D@paypaI-security-alert.com>
MIME-Version: 1.0
Content-Type: text/html; charset="UTF-8"
<div style="font-family: Arial;">
We detected a login from an unrecognized device.
<br><br>
If this was not you, please cancel the transaction immediately:
<br>
<a href="http://secure-login-attempt-verif.com/auth/login.php?id=9928">Click Here to Verify</a>
</div>
RAW HEADER VIEW
Return-Path: <hr-updates@my-workday-portal.net>
Delivered-To: staff-all@university.edu
Received: from unknown (HELO my-workday-portal.net) (203.0.113.88)
by mx.university.edu with ESMTP; Wed, 08 Nov 2025 14:20:01 -0500
X-Originating-IP: [203.0.113.88]
From: "HR Benefits" <hr-updates@my-workday-portal.net>
Reply-To: <admin@evil-phish.org>
To: <staff-all@university.edu>
Subject: FINAL REMINDER: Open Enrollment Changes
Date: Wed, 08 Nov 2025 14:19:55 -0500
X-Mailer: PHPMailer 6.0
Dear Faculty and Staff,
Open enrollment ends at 5:00 PM today. Review your changes here:
https://human-resources-enrollment.net/login
Failure to confirm will result in loss of benefits.
Mission Instructions
Analyze the headers above. Identify the malicious Sender Email, Source IP, and Phishing URL for both incidents. Defang them before submitting your report.
Utility: Defang (Simulated)
Mode: CyberChef Basic*In a real investigation, use CyberChef's "Defang URL" recipe. This utility simulates that action (Replacing "." with "[.]" and "http" with "hxxp").