The Email Came From Zoho... But Claimed To Be Amazon
The platform looked legitimate.
The footer was real. The sender appeared to use Zoho Invoice. The message was formatted like a normal payment notification.
But the story claimed an Amazon Gift Card purchase had been verified.
Then came the refund phone number.
The platform was trusted.
The message was not.
Trusted Platform Abuse
The alert was not about a fake Amazon domain. It was about a legitimate invoice platform being used to deliver a false payment story.
The invoice looked normal. The story did not.
Why this works
Find suspicious payment received emails
- 1
- 2
- 3
- 4
- 5
- 6
- 7
EmailEvents
| where Timestamp > ago(30d)
| where Subject has_any ("Payment Received", "invoice", "payment")
| project Timestamp, RecipientEmailAddress, SenderFromAddress, SenderMailFromAddress, Subject, DeliveryAction, ThreatTypes, NetworkMessageId
| order by Timestamp desc
Inspect Zoho Invoice sender patterns
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
EmailEvents | where Timestamp > ago(30d) | where SenderFromAddress has "zoho" or SenderMailFromAddress has "zoho" | project Timestamp, RecipientEmailAddress, SenderFromAddress, SenderMailFromAddress, Subject, EmailAuthenticationResults, AuthenticationDetails, NetworkMessageId | order by Timestamp desc
Review URLs connected to the message
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
EmailUrlInfo
| where Timestamp > ago(30d)
| where Url has_any ("zoho", "invoice", "payment")
| project Timestamp, NetworkMessageId, Url, UrlDomain
| join kind=inner (
EmailEvents | project NetworkMessageId, RecipientEmailAddress, Subject, SenderFromAddress
) on NetworkMessageId
| order by Timestamp desc
Check whether anyone clicked
- 1
- 2
- 3
- 4
- 5
- 6
- 7
UrlClickEvents
| where Timestamp > ago(30d)
| where Url has_any ("zoho", "invoice", "payment")
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough, NetworkMessageId
| order by Timestamp desc
