Why is it different? Normally the email says your password is expiring or that there has been suspicious activity on your account and asks you to click a link. These two emails are talking about something I may actually be interested in offering. Mass-market messages address you as “Dear Sir/Madam.”
Let’s look at the differences and red flags:
- Inquiry in the subject line – In British English, "inquiry" refers to a legal investigation. However, in American English, it is the correct word. This can or cannot be deemed as a mistake in the English language depending on the location received.
- Hi Graeme in the subject line – This is not the appropriate place to greet me.
- I tried calling in the email body – I did not receive a call or voicemail, and my website does not list a phone number.
- Your teams in the email body – If they had read my website correctly, they would have seen that it is just me.
- Elizabeth Lee – This name does not appear in search engines or on LinkedIn as an employee.
- Kelsostrategy.us – This domain is different from kelso.com.
- Kelsostrategy.us – was registered on 21st March and used to re-direct to kelso.com.
- Kelso – is a bona fide business and is a private equity firm based in Mid-Manhattan and may not be the correct organization to approach me for training.
- 1000 Main Street – 1000 Main Street is the listed whois address, but there is no apartment block at the address listed on Google Maps.
- Teams/Calendar/Kelso/Elizabeth – This is not a URL and the actual URL is a Microsoft Azure Blob
- Michael - is mentioned in the body but is not cc’ed on the email.
Email one received on 30.3.26. No link is present in this email.
Email two received on 2.4.26. The way the email address displays is not professional which is another possible giveaway.
The domain is most likely real and not hijacked, and passes SPF & DKIM with the MX records pointing to Google. The Google email mailbox is likely a paid version since it uses a custom domain not gmail.com or googlemail.com.
The initial URL in the phishing email shows on one blacklist and funnily enough a Russian blacklist.
The email domain also shows on a blacklist with one entry being as a fresh domain registration.
This is the url in email two which was opened in a web sandbox and takes you to https://kelsomeetings.z5.web.core.windows.net/ which is a fake captcha page hosted on Microsoft Azure.
If you follow the fake captcha it takes you here to “schedule a Teams session”.
The HTML contents of the first URL is as follow and most of it can be understood apart from the encoded JavaScript:
When you follow the fake captcha it sends you to: https://kelsomeetings.blob.core.windows.net/$web/book.html.
By clicking on “schedule a Teams session” it opens a popup to https://yeawouchea.ru/HejuQn@gpHfL/. Each webpage on Microsoft Azure is using JavaScript and encoding. See analysis of the Russian URL @ https://www.virustotal.com/gui/url/d1a7ce9242f6d39524efe9fccc10a1144289d71434c0701d57a14275b418673e.
The final destination which does little in my analysis and is on blacklists (a few). Perhaps the content has been stripped off by the web host or does not run in a hosted SaaS sandbox.
As of 7th April the domain seems to be suspended and I did report it to spaceship.com. Also I emailed a few folk at kelso.com and got no reply.