Fake phishing email from Avast targeting yahoo.com domain

Avast Account (my.avast.com)
1

There is a spear phisher posing as Avast.com and sending billing emails using the data extracted from the Yahoo.com breaches. I moved all my critical accounts off yahoo last month, and was also alerted to the addition of a billing password inside the email. How suspicious.

The email contains links

https://lh3.google.com/u/0/d/0ByUoHa_LN3kvd3ktQzZDdUJIMDA=w1272-h699-iv1

and

https://lh3.google.com/u/0/d/0ByUoHa_LN3kvbEdFaktUSE51cmM=w1272-h699-iv1

What was a real doozie, is the phisher uses a DKIM cert authenticating them to the spmailtechno.com domain. And, Avast will see NO virus in the email. From the header:

X-Antivirus: Avast (VPS 17021100)
X-Antivirus-Status: Clean
X-Apparently-To: ********@yahoo.com; Sat, 11 Feb 2017 10:07:41 +0000
Return-Path: msprvs1=17215CskhSGcw=bounces-39885@spmailtechno.com
Received-SPF: pass (domain of spmailtechno.com designates 35.163.132.52 as permitted sender)
X-YMailISG: i6Qe6wEWLDvdyJSIpLuI6fVeDytvzEjFIMBQ8UqXg11dMlPg
bYS9WFG4SLrrcdwV4KuBt8qyeHYaQQJynfvXI1QWBtJ9oi692xkEHfCm6o6x
lqay6S_mZw6xSw49JMiX5UUnCGyu7dnsQBXXcUqFO6V.yC5vQiLkDL4gtmf7
69fee_hHMyCXtRa7dK1.AMC3qHRnBQhPgO1CJ3S2vvGDhFcw6st26IjSpU6D
5_1Ahsdxgiv3F8_W3hnfOfQ1KlJuBub3kOUHEhVwKXpiqGcg3vQobaSg7MdS
kpeyfzdofeD0vhvD7Rq4h78DMeNJqSa6HnYsJd.RBTK9K5Zj8WhpO_4nonVR
jHg5gcU4zKmgtCFBhcuqP7wHHAdcYUklcyrJS1UmsnTulK_1nnLkX12FXxws
cJjDOTZizH12kVgUFx70JuCZNnckTPXsY55MfDlf.VDjBEKLYUeUOxA8rQEe
w2DkB6U5jwmFHZETCgddjcPkzpjuAgLPfE_Kie4iP.XyMHt_nwtlkZ6N3Yi_
DZdvRW2mjs1EFZ71_XEarNErJAln.FbpADKxXkYpuB1XMfsNbyEkbaFeuEYU
DLBKMrUIuXfNVK9VJaEWsm7G0LManhQuowqEMaNW4KK6QWilPqh00vpn4lk_
j2y7O0CDEBqfI8ifgxZ37Co9PXiuSOm0IK1X4CF_BdIsIOqtFfTpViGGppkV
EblofZ0nvkj.BOiInZifxudEyz1ekTCrm2r64QTBMtRtEP.cHATROrvWiKqp
gmcCDypYLa9Zz2oAvtXEiiGBMWGBocGvJdgOkoZZ7bG7E7SXlFsYgRo9.HXa
zMUw_pE3qvphW4ian8V6gvEMvRfpG8wB3yaEa0.ROwlIXyIBtwBz0xWHVFB2
9GR14kd5lQcJbpqFoac5frBOsSwYZLSnhxTUDyF5FTxezBKBA0IC4rl33iYV
lJ1biLLfGL0Yc9wfTuxJzUnkK_hwddvYRk6yKSSlCr33okNEBb7JFzHwtRzy
soHWiqBq4PjqhyvewfZMzFu1p1dTWhdEAdw_VgdfZAqX3F8n0HSdVdvf1qkf
QMQ11oYbVHDU8L4fP6NhUCGqazVeUuaHQxrhKsa90rWLk1wESYraV6fetWHg
1ZD.QtPzH7gDbrgMcJcW7MCfLHV6Koh8pOsLpQXxTHg4QbLo7SWo73L5EQoA
t7MnzvIJnyTbQzLx7x7n47DPthWfjB7Cg4LFXtOzZpuvsCHjn2WdWMrsDBf9
k0MjKglgpmBSglgaMMXi7JzpMW3NZvVc3oE_PNyi5.nNPRmZTwptIhYXjkFo
wbgGIlcxZzUmFG_UU3d52oH7tFl3INlV74Pce2v4fyJEJ.XLKhO1boy._kD5
o2JnZazq6S9JX6Lmwq0L_dJSRJgFu0kTw26s2NcPMvRIygvI4ry1GR7.tHoZ
4uBilIm1S4gluQLtp86J4NMgBpaoOwf3vl2FoexJsdicOiWWY9NDWwEMap5d
E6Z9hQ5qLuC6NYIpq5V3iqNETWxQ1Fouin3dD1LlsJKZy_OcNSRMC0AJ1EYS
itedrCcowZYtbVW8KL5RpjIT1yg1zVOCvqgCNIAW01rsJA3OAaqxF9v.7iPk
qtDb3Yrmq5oLGkGsb_yjJF3EcXOXbwQ7H9Uxuzj389h60kanHyG8X3yJB3Wv
fZp3D.LB77Wy7.HpwkYXDg0s
X-Originating-IP: [35.163.132.52]
Authentication-Results: mta1234.mail.bf1.yahoo.com from=avast.com; domainkeys=neutral (no sig); from=spmailtechno.com; dkim=pass (ok)
Received: from 127.0.0.1 (EHLO mta210.spmta.com) (35.163.132.52)
by mta1234.mail.bf1.yahoo.com with SMTPS; Sat, 11 Feb 2017 10:07:41 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=avast.com;
s=scph0416; t=1486807660; i=@avast.com;
bh=qQPrQqspYrR4c15VCr7Eef30LPplm8D5NLIvwdqRBhM=;
h=To:Date:Subject:From;
b=awwRR208dYylA0lkznSIIlOImWX2VZkVy4aZRxZ+MNkkzd+68HhlYUco2Y+RUbCOQ
OGqfP3mUWrNkbCy/t7FDQX2LWyEgN5mTxuMlfpo7mGVuGEPpGDBQzb8ifnntzNbmkc
2G3Pt+LOPH8Z0MrP2pM/EdA3TdvsjyJcox/6sgrg=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=spmailtechno.com;
s=ssp0516; t=1486807660; i=@spmailtechno.com;
bh=qQPrQqspYrR4c15VCr7Eef30LPplm8D5NLIvwdqRBhM=;
h=To:Date:Subject:From;
b=TMrP6lQu6FV710Pc2s1eWoMHMLReeVS1wtiUPJQ0IcVv9/8JFYEXCecJ1ORSKgR7J
uH9mMWdlEFhM2XF/cFzjsVcehkDaox8SNc3jAKJAZazI2ENCGxWj6tj0lzQkTKZA4m
Tnt87LX/PgLjtk3/7Jo5CsZjxHcyCdrRVdjeb50E=
X-MSFBL: XPhzmjljscjKxCoTtEVJAVUEsAcv7dCGDWlyzRhwY18=|eyJmcmllbmRseV9mcm9
tIjoibm9yZXBseUBhdmFzdC5jb20iLCJpcF9wb29sX3JhdyI6ImdlbmVyYWxfMSI
sInNlbmRpbmdfaXAiOiIzNS4xNjMuMTMyLjUyIiwic3ViYWNjb3VudF9pZCI6IjA
iLCJpcF9wb29sIjoic2hhcmVkIiwiZyI6ImJnX2dlbmVyYWxfMSIsInRlbXBsYXR
lX3ZlcnNpb24iOiIwIiwiY3VzdG9tZXJfaWQiOiIzOTg4NSIsInRlbmFudF9pZCI
6InNwYyIsInJjcHRfbWV0YSI6eyAiWC1BcGltYWlsLVRhZ3MiOiAiU1VCLUNPUkU
tSUQtMzg1MzczNSxTVUItRVhUSUQtMzg1NjYxOCxDVVNUT01FUi1JRC0xNDQwMDk
3OCxNQUlMLUVWRU5ULVRZUEUtUEFZTUVOVEZBSUxVUkUsU1VCLVNFUlZFUi1BVkF
TVElQU19BVUQsU1VCLURFTFRBLTgsU1VCLU1PREVMLUFWQVNUX0FCT18xWSxTVUI
tR0VORVJBVElPTi0wIiB9LCJ0ZW1wbGF0ZV9pZCI6InRlbXBsYXRlXzEyMDU1ODM
xMTA1MzU0NDk3NCIsIm1lc3NhZ2VfaWQiOiIwMDA2NmNlMjllNTg2MThhMDI5MCI
sInRyYW5zbWlzc2lvbl9pZCI6IjEyMDU1ODMxMTA1MzU0NDk3NCIsInRyYW5zYWN
0aW9uYWwiOiIxIiwiciI6InNoYXVuYW1jZ2VlMjAwMEB5YWhvby5jb20iLCJiIjo
iaXBfMzUuMTYzLjEzMi41MiIsInJjcHRfdGFncyI6WyBdfQ==
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset=“UTF-8”

2

I have reported this to try and get some avast input on it.

3

Could you post the email body? Both the links are now dead and contain no phishing.

4

This one is still out there. I just got a message similar to the OP on 29 July.