While Phishing is never a good thing, it is interesting to see something different than your normal phishing attempt. We received an email today from Earl Ruberts about an email their IT department received from a purchasing department of another company with which they have no relationship. The email contained an attachment that had a .xps extension. They conducted scans of the attachment that came back clean and the email did not appear to be spoofed. They contacted the company to ask them if they sent it and found out they were actively cleaning up an account compromise. Since the email and attachment was suspicious, Earl asked us to take a look. Here is the body of the email:
Article Link: https://isc.sans.edu/diary/rss/23794