Salesforce Invoice Spam Email Alert

We're blocking a new Salesforce fake invoice email spam campaign that links to a malicious zip file on a hacked Wordpress site. This email does NOT come from Salesforce. The zip file likely contains a trojan that installs a keylogger / adware. Read how to recognize this dangerous threat and train your coworkers in case it gets past your antispam system.

Salesforce Invoice Spam

Salesforce spam is fairly common, but this campaign appears to be using a new template. We added several filters to block it for our customers globally within a few minutes.

This campaign does not have an attached zip file with the malicious payload. Instead, it has a link to what looks like a Saleforce website. But it actually links to a zip file called "" on a hacked Wordpress page. This one will probably fool some people into clicking on it.

Most Antivirus Not Blocking It

As of 12:53pm today, the zip file was only recognized as a threat by 6 out of 57 anti-virus vendors. We've discussed this issue before, that antivirus programs can't keep up with today's quickly changing email threats.

That's because traditional antivirus only scans the downloaded file. Cloud antispam analyzes the entire delivery mechanism and global traffic patterns for spammy behavior, which we have learned how to detect almost instantly (we had it fully blocked globally within about 10 minutes).

About This Threat

We had several filters in place within minutes that are completely blocking this threat globally. If your antispam system requires you to do your own filtering, or doesn't update every few minutes, you're probably having a hard time keeping up and you're seeing a lot of spam That's bad. It creates a large risk that one of your coworkers is going to click on a dangerous email or download a malicious attachment.

Spoofed Header Info

Below is a copy of the email "header" that contains information for servers to process. Most user's never see most of this. You'll note that the header is "spoofed" to make it appear to the recipient and some antispam programs that this email is actually from Salesforce:

X-MIMEDefang-Relay-ca7e395729062400c36e9cbcb508575aec105509: Received: from localhost ([::1]:40427 by with esmtp (Exim 4.82) (envelope-from <>) id 1YbAO9-0002r1-R3; Thu, 26 Mar 2015 12:12:11 -0400 Date: Thu, 26 Mar 2015 12:12:09 -0400 To: undisclosed-recipients:; From: SalesForce Billing <> Subject: SalesForce Subscription Invoice #30810801 - Credit Card declined Message-ID: <> X-Priority: 3 X-Mailer: PHPMailer 5.2.8 ( MIME-Version: 1.0 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-OutGoing-Spam-Status: No, score=1.2 X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - X-AntiAbuse: Original Domain - X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - X-Get-Message-Sender-Via: acl_c_authenticated_local_user: root X-Source: X-Source-Args: X-Source-Dir:

Email Body

Also, the body of the email includes several elements designed to fool the recipient. It uses an authentic-looking Salesforce logo and well as a link text that looks like it's going to download a file from Salesforce.

Salesforce Spam Email

This Salesforce spam links to a dangerous zip file that installs malware

There are also some clues in the email that tell you it's spam:

  • "Dear client": Companies that you do business with know your name and will generally address you personally in email. Most spammers don't know your name, so they have to rely on phrases like "Dear Client" or "Dear Customer". Note however, that some do learn your name from harvesting emails and other techniques, so use of your real name is not in itself an indication the email is safe.
  • Urgent message + link: The classic spammer technique is to put an urgent message in the email designed to induce fear and get you to act quickly, without thinking. This email indicates that a payment is due in just a few days or your subscription will expire. Then it conveniently presents you with a link to click on and fix everything.
  • Suspicious link: The link text that appears in the email is different from the actual link destination (which you can see at the bottom of your browser window by hovering over -- but DO NOT click - the link with your mouse).
  • No contact or opt-out info: There is no contact information in the email itself (only a link). Also, there is no "opt-out" link, required by various anti-spam laws. But again, you can't rely on the lack of that alone. Some spammers put real or fake contact info and opt-out links in the emails.
  • Bad formatting: A company the size of Salesforce (and even much smaller ones) would never send out an email that looked this messy.

Even without examining the contents of the linked file, these clues tell you the email is, almost without a doubt, dangerous spam.

Links to a Dangerous Zip File

We've analyzed the file based on public information about it. The zip file apparently contains a trojan that install a keylogger / adware software that could steal passwords you type and worse.

It's obvious that you should NOT click on the link or download the linked zip file. Actually, you should never download or open such a file. Even if you are expecting such an email and plan to scan it first, keep in mind that many antivirus programs run hours or days behind quickly changing malware and will likely not recognize it.

Traditional Anti-Virus Vendors Can't Keep Up

No antispam or antivirus system can fully protect against these rapidly-changing email attacks. However, Cloud antispam now provides better zero-day protection than traditional antivirus. People relying on traditional antivirus to protect them were exposed to this threat. According to VirusTotal, as of 12:53pm (more than an hour after it struck), only 6 of 57 antivirus vendors were able to detect this zip file as malicious

SpamStopsHere blocks threats like this from day-zero because we examine not just the dangerous payload (the executable file), but the entire delivery package for suspicious clues. We also analyze global email traffic patterns to help us detect spam and email-borne viruses. And we update our database every two minutes, so there's no waiting to download the latest virus definitions. Our customers were fully protected globally with about 10 minutes.

For more about how we do that, see our recent blog comparing Cloud antispam to antivirus.


SpamStopsHere is updated every two minutes, 24/7/365. Because it works in the Cloud, spam filtering updates take effect immediately without the user downloading or installing anything.

If you're having trouble keeping up with these threats, consider trying SpamStopsHere FREE for 30 days. It blocks 99.5% of spam with a false positive rate of less than 0.001%. That means we block fewer that 1 out of 100,000 good emails, which is why businesses and professionals love our service.

Click here for more about SpamStopsHere and our 24/7/365 live support

Marks used in this article are the properties of their respective owners. This article is for informational purposes. No endorsement by third parties is implied and none should be inferred.