I usually don't feel competent enough to ask decent questions, let alone answer them here. But, it's rather urgent, so be patient with me:
I CANNOT say if the "secure encrypted message" that I received in an email from a "state agency" was genuine or malicious! I was a bit (reluctantly) expecting an email from this service and their email signature seemed authentic. Unfortunately, they may or may not have attached this file, which allegedly contained the body of the message in the form of a "secure attachment message" * .EML.
I couldn't open the secure message attachment, which was the first hint of a problem. (I also don't want to call them and then have them read the message, which would spark a conversation I'm not prepared for, without first knowing what the message was talking about.)
As I started to work hard to open the attachment. As I failed and searched, my discoveries seemed more and more disturbing. I will keep this question up to date with any missing details.
- Received a seemingly valid email from a known state agency, from a known person, from a known division with which I do business.
- Message body in plain text:
"Please find attached." (?? Strange formulation -> "& # 39;FIND"gasket" ??)
- The (real) message was attached, encrypted and visible only to the recipient of the email to which it was addressed. The attachment then had to be opened by the email client (Gmail-web). I have done this once or twice before, so it is a pain, but not unknown.
- The ATTACHMENT of the email was then "displayed in a NEW WINDOW" in Chrome and Vivaldi with similar if not identical results: https: //mail.google.com/mail/u/0/ ??????????? ??? .. (etc.) /: WHO SAID:
(GOOGLE MAIL ERROR MESSAGE 🙂
"You are viewing an attached message. Company mail cannot verify the authenticity of the attached messages.
Your document is finished "
"SEE COMPLETED DOCUMENTS:"
(THE LINK GOES TO: https://www.notion.so/(known_AGENCY_-_GUID)/)
"Mrs. (known person)"
"(State agency known)"
"(KNOWN STATE AGENCY)"
"This PDF is password protected,"
"(KNOWN PERSON) has sent you an important vital file to review."
"SEE THE FILE HERE:"
(THE LINK GOES TO: https://fafanfan.tk/000/nsw/data/UntitledNotebook1.html)
"Please take a look and let me know if these are ready to print."
(HUH ?? Why let you know ?? And, why print, instead of seeing ??)
"Please open with your professional email."
(HUH ?? "Please", "Professional email "Who speaks like that ??)
"Log in with your email and password to view the file."
- So, I clicked on the email link and tried to log into my company's GMAIL account.
- It seems that the connection to my account was successful, but he then told me that I should verify my account and provide (either) the recovery phone or the recovery email address.
- I provided a valid phone number, which failed with an error.
- Then I tried my valid recovery email address, which also failed with an error.
- I have tried Vivaldi and Chrome, and all of them have failed each time. (I assumed it was opening a window without cookies, so the connection to Google came from an unknown new page.)
At this point, I started to googling the URI and other things –
- Hmmm strange domains (TLD) .TK ?? Search URI = NO hits.
- Searched (TLD) .TK – not good — He said that 95% of .TK traffic is malware / spam.
- You searched for the other URI listed above = no results. Uncool.
- I changed all my PW emails. I have checked the strange connections, but I have seen nothing strange. (If I provided my credentials to the bad guys, they are a bit slow today. So maybe I dodged a bullet.)
- I checked / scanned the downloaded file with Windows Defender – no detection
- I have submitted the file to Total Virus – no detection per person.
- I also submitted the two URIs listed above, and I only found one hit from an unknown security company, which probably reported the * .TK as probably a "bad URI".
At this point, I'm not at all sure what to do … I do NOT want to call them and start a conversation that might later deny "plausible denial of having received this notice". OTOH, I can't ignore it too long either.
RANT: I hate all these "protections", which invite malware to be easily inserted. Then you rely on ordinary users to determine if the attachments are safe ?? Few users are smart enough, and I know I am not. (Although I am not a total security idiot because I am more careful and knowledgeable than anyone I know.)
If Adobe wants to provide tools like this, fine. Then please make it much easier and obviously safe for senders and (very novice) readers. For example, use URIs from Adobe.com and never use TLDs that are also used for malware. If you provide security tools, please do not rely on the IT staff of these agencies to try to train users to use these tools correctly with the public, most of whom have never opened a "secure attachment" , and even less how to open them (OR NOT), safely.