-----Original Message-----
From: Chandler Willis <cwillis@westernexp.com>
Sent: Tuesday, January 28, 2025 8:25 AM
To: irt@westernexp.com
Subject: FW: Phishing:10006d43-4fe3-43f1-a4f8-08dd3fa15956|renestevens90@gmail.com|(Amazon Pay Citibank® Credit Card Application) 1/28/2025 1:46:30 PM

Attempted scam sent to Howard. It tries to get him to call a phone number in regards to a fake credit card. I blocked the sender, and remediated the message. No links or attachments contained.

-----Original Message-----
From: Kace Security Helpdesk <securityhelpdesk@westernexp.com>
Sent: Tuesday, January 28, 2025 7:47 AM
To: irt@westernexp.com
Subject: FW: Phishing:10006d43-4fe3-43f1-a4f8-08dd3fa15956|renestevens90@gmail.com|(Amazon Pay Citibank® Credit Card Application) 1/28/2025 1:46:30 PM




________________________________________
From: Howard Brown <hbrown@westernexp.com>
Sent: Tuesday, January 28, 2025 7:46:30 AM (UTC-06:00) Central Time (US & Canada)
To: Kace Security Helpdesk
Subject: Phishing:10006d43-4fe3-43f1-a4f8-08dd3fa15956|renestevens90@gmail.com|(Amazon Pay Citibank® Credit Card Application) 1/28/2025 1:46:30 PM

# Questionable URLs detected in message:
None


Received: from SA1PR12MB6918.namprd12.prod.outlook.com (2603:10b6:806:24d::8) by SA3PR12MB8764.namprd12.prod.outlook.com with HTTPS; Tue, 28 Jan 2025 13:40:59 +0000
Received: from MN2PR01CA0062.prod.exchangelabs.com (2603:10b6:208:23f::31) by SA1PR12MB6918.namprd12.prod.outlook.com (2603:10b6:806:24d::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8377.22; Tue, 28 Jan 2025 13:40:38 +0000
Received: from BL6PEPF00020E63.namprd04.prod.outlook.com (2603:10b6:208:23f:cafe::de) by MN2PR01CA0062.outlook.office365.com (2603:10b6:208:23f::31) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.8377.23 via Frontend Transport; Tue, 28 Jan 2025 13:40:37 +0000
Received: from us-smtp-inbound-delivery-1.mimecast.com (170.10.132.61) by BL6PEPF00020E63.mail.protection.outlook.com (10.167.249.24) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.8398.14 via Frontend Transport; Tue, 28 Jan 2025 13:40:37 +0000
Received: from s.wfbtzhsv.outbound-mail.sendgrid.net (s.wfbtzhsv.outbound-mail.sendgrid.net [159.183.224.104]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-194-ZQqWWey1Ouadp4-LjX31NQ-1; Tue, 28 Jan 2025 08:40:34 -0500
Received: by recvd-78c5df94bf-7p8zw with SMTP id recvd-78c5df94bf-7p8zw-1-6798DE4F-2F 2025-01-28 13:40:31.533665917 +0000 UTC m=+6452239.445120759
Received: from NTAxMjM2OTE (unknown) by geopod-ismtpd-14 (SG) with HTTP id B14RvmnhT6-GdSKbW9c9-A Tue, 28 Jan 2025 13:40:31.516 +0000 (UTC)
Content-Type: application/ms-tnef; name="winmail.dat"
Content-Transfer-Encoding: binary
From: Rene S <renestevens90@gmail.com>
To: Howard Brown <hbrown@westernexp.com>
Subject: Amazon Pay Citibank® Credit Card Application
Thread-Topic: Amazon Pay Citibank® Credit Card Application
Thread-Index: AQHbcYpEnF7SvOqiM0iHS27q5lvdfQ==
Date: Tue, 28 Jan 2025 13:40:32 +0000
Message-ID: <B14RvmnhT6-GdSKbW9c9-A@geopod-ismtpd-14>
List-Unsubscribe: <https://mc.sendgrid.com/>
Reply-To: "renestevens90@gmail.com" <renestevens90@gmail.com>
Content-Language: en-US
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Organization-AuthSource: BL6PEPF00020E63.namprd04.prod.outlook.com
X-MS-Has-Attach:
X-MS-Exchange-Organization-Network-Message-Id: 10006d43-4fe3-43f1-a4f8-08dd3fa15956
X-MS-Exchange-Organization-SCL: -1
X-MS-TNEF-Correlator: <B14RvmnhT6-GdSKbW9c9-A@geopod-ismtpd-14>
X-MS-Exchange-Organization-RecordReviewCfmType: 0
received-spf: SoftFail (protection.outlook.com: domain of transitioning sendgrid.net discourages use of 170.10.132.61 as permitted sender)
x-ms-publictraffictype: Email
x-forefront-antispam-report: CIP:170.10.132.61;CTRY:US;LANG:en;SCL:-1;SRV:;IPV:CAL;SFV:SKN;H:us-smtp-inbound-delivery-1.mimecast.com;PTR:us-smtp-inbound-delivery-1.mimecast.com;CAT:NONE;SFS:(13230040)(29132699027)(82310400026)(69100299015)(7093399012)(4022899009)(5073199012)(13003099007)(8096899003)(4076899003);DIR:INB;
authentication-results: spf=softfail (sender IP is 170.10.132.61) smtp.mailfrom=sendgrid.net; dkim=fail (body hash did not verify) header.d=sendgrid.net;dmarc=fail action=none header.from=gmail.com;compauth=none reason=405
x-ms-office365-filtering-correlation-id: 10006d43-4fe3-43f1-a4f8-08dd3fa15956
x-ms-traffictypediagnostic: BL6PEPF00020E63:EE_|SA1PR12MB6918:EE_|SA3PR12MB8764:EE_
x-microsoft-antispam: BCL:0;ARA:13230040|29132699027|82310400026|69100299015|7093399012|4022899009|5073199012|13003099007|8096899003|4076899003;
x-ms-exchange-crosstenant-originalarrivaltime: 28 Jan 2025 13:40:37.5738 (UTC)
x-ms-exchange-crosstenant-fromentityheader: Internet
x-ms-exchange-crosstenant-id: 7574e840-7b4e-4dde-9344-850222919bd8
x-ms-exchange-crosstenant-network-message-id: 10006d43-4fe3-43f1-a4f8-08dd3fa15956
x-ms-exchange-transport-crosstenantheadersstamped: SA1PR12MB6918
x-mc-unique: ZQqWWey1Ouadp4-LjX31NQ-1
x-ms-exchange-transport-endtoendlatency: 00:00:22.1525103
x-ms-exchange-processed-by-bccfoldering: 15.20.8377.021
x-eopattributedmessage: 0
x-eoptenantattributedmessage: 7574e840-7b4e-4dde-9344-850222919bd8:0
x-mimecast-spam-score: 2
arc-seal: i=1; s=201903; d=dkim.mimecast.com; t=1738071637; a=rsa-sha256; cv=none; b=mOQl4m9J0h3Sni+WP6X07t4MayN3koRCkzHvluq3Fys4laX7nE95fbG8NQZzJfDS1nva+v kZW/c06IcrJocUEeE9Vwlf168xJ8+W6tbNseNdx1xGdcLMoQX38/NK8j85ubFR+3gHxtIY FYWU1rbZqBjiiHO81jy3IiW+Unxf1EOQE6V/c9vbCa3221Zu3ObqcysOXU+u7gj/cUhGKH CfevhnLeDkwjDuWjiJ4k/gezwrR2vvN8apAx8U4F1NYEZmxXYj3roQnC1NNQwW50GrkzqJ 2HhjhjnSt7sbRtxBq3QzfNb518Q7odB9obGqRy85uijfNEkirSnezb6QetS15A==
arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=dkim.mimecast.com; s=201903; t=1738071637; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:list-unsubscribe:list-unsubscribe-post: dkim-signature; bh=TfFJgdzaMN8yIuK6pGTqfZqitMQ9baQpmApScL91UBc=; b=GrGbcwp03tUMGbG45d1gr06yL210gwYYJSZEoMOHv+R2bih8OB9ZACHcEjoADUTTY35hek ytiQqhgqi9Mkmat9dyaV06p0ykSL21KPi4GB8TMQzdxUQ6CsLdOJSE3R+pRA4bdDgs4CCQ 5D8lv2PZPQHFuBb1sTKO/oil3Mm+6XTk4OUwQQdvb9Q+NKzqrwjY0Sluh3KqtwSeTMyRIS MY05Mtz0xv2b/x26FG3TeJVOwdu3Bsnx8CCONkNToBYoYGdqFZlnFGN4n7U4Aonca7Dgc9 ZDipINVCjAQ3XDNXCdMMCXcbI9LQ2h8iFdhQiwAePdsPsvpefnQerfsaz4BthQ==
arc-authentication-results: i=1; relay.mimecast.com; dkim=pass header.d=sendgrid.net header.s=smtpapi header.b="NBma+v/Q"; dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (relay.mimecast.com: domain of "bounces+50123691-a20b-hbrown=westernexp.com@sendgrid.net" designates 159.183.224.104 as permitted sender) smtp.mailfrom="bounces+50123691-a20b-hbrown=westernexp.com@sendgrid.net"
authentication-results-original: relay.mimecast.com; dkim=pass header.d=sendgrid.net header.s=smtpapi header.b="NBma+v/Q"; dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (relay.mimecast.com: domain of "bounces+50123691-a20b-hbrown=westernexp.com@sendgrid.net" designates 159.183.224.104 as permitted sender) smtp.mailfrom="bounces+50123691-a20b-hbrown=westernexp.com@sendgrid.net"
dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sendgrid.net; h=content-type:from:mime-version:subject:reply-to:list-unsubscribe: list-unsubscribe-post:to:cc:content-type:from:subject:to; s=smtpapi; bh=b8/juc3i6BanVeE5SoEa34wmR2bDExzQLmjC/+0WMYc=; b=NBma+v/QkGVxjGr4EbgLSfvEAHatsy9AW4HJhMHbRCnn8t/oGHowtwHsJg4lJ+K2OYrs AAwTMZmn5huIbyWm9dFAvv6bWTmeSVyu9HR5inZpwlYIMbN2CtGVJRA1gkUYqk3gHO2jaZ EWrvRHpcMSrpmTu5YAytJb3afvajuNZCA=
x-ms-exchange-crosstenant-authas: Anonymous
x-ms-exchange-crosstenant-authsource: BL6PEPF00020E63.namprd04.prod.outlook.com
x-ms-exchange-atpmessageproperties: SA|SL
MIME-Version: 1.0


If you want such reports to go to Microsoft directly, you can change the reported message destinations from the settings at https://security.microsoft.com/userSubmissionsReportMessage


This email has been scanned for email related threats and delivered safely by Mimecast.
For more information please visit http://www.mimecast.com
Dear valued customer,


We are reaching out to inform you that your Citibank Credit Card application has been successfully received. We understand the importance of a credit card that suits your financial needs and we are here to assist you every step of the way. Our team of experts is available to address any questions or concerns you may have. We look forward to helping you with your financial goals. 


Processing fees - $450.00
verificationm method -SSN


If you suspect identity theft or did not submit this application, please contact our fraud department immediately:

Citibank Hotline: 18023091319 

Rene S

renestevens90@gmail.com, New York,

Unsubscribe - Unsubscribe Preferences