I received and odd email security notice:confused:

[rsteinmetz70112]

I received an odd email today purporting to be from a large national company, who we have done work for in the past.

• The message identifies our company.
• It identifies certain files related to some past projects that are claimed to be exposed on the Internet.
• The domain is legit, the email addresses could be from that company.
• All of the contact phone numbers are offshore.
• The information portion of the message looked like an email but it is an image, not text.
• As far as we know this company was not involved in the projects identified but are projects we worked on.
• There is no information identifying the server by DNS or IP address.
• There is no information identifying the nature of the exposure like an open port or some protocol.

I have in the past received notices from an ISP identifying open ports, but they included specific information about the issue.

[ActionParsnip]

Check email headers and if SPF failed or passed. Check the location of the IP address. Check the WHOIS of the domain.

[ActionParsnip]

If in doubt, don't reply to the email but call the sender to see if they sent it or craft a new email to someone on the inside to see if they sent it.

[SeijiSensei]

Use the option in your mail client to show all the headers. Look at the Received entries and make sure the message came from it alleged source. First thing I do with any suspicious email is reveal all the headers. There may be SPF and DKIM headers that will provide useful clues as well.

[rsteinmetz70112]

I did check the whois and the domain is legit, although it could be spoofed. I was thinking of sending something to the admin contact for the domain.

[rsteinmetz70112]

I did check the whois and the domain is legit, although it could be spoofed. I was thinking of sending something to the admin contact for the domain.

All of the phone numbers in the email are offshore, so I'm not sure who I'd get or if they were legit. The company is big enough that I don't have a clue what verifiable number I could call to get someone who would care.

[SeijiSensei]

Have you looked at the headers yet?

[rsteinmetz70112]

Check email headers and if SPF failed or passed. Check the location of the IP address. Check the WHOIS of the domain.

OK the IP address 207.82.80.112 it seems to be Mimecast Services Limited, and the mail was passed through prod.outlook.com
I don't think that tells me anything.

[EuclideanCoffee]

OK the IP address 207.82.80.112 it seems to be Mimecast Services Limited, and the mail was passed through prod.outlook.com
I don't think that tells me anything.

Are you certain it wasn't forwarded from Mimecast? Sometimes that header can become difficult to follow.

Without the full information, it's hard for us to provide much more advice.

[DuckHook]

When in doubt, treat it like it's a live hand grenade. If it turns out that you are over‑reacting, the company in question will appreciate your abundance of caution. If the threat turns out to be real, you will have saved yourself a world of hurt.

You state:

…the email addresses could be from that company…

…so contact those email addresses. When you initiate clean virgin emails—vs clicking some "reply" button—you can be sure that it goes directly to that recipient. If you still question the veracity of the reply, then the next measure would be to simply contact your client's security department. I don't believe that any "large national company" will lightly wave off security threats these days.