Social Engineering • Email Investigation • Tracking Links

The Email Promised $5,695. The Link Told A Different Story

An email claimed an inactive account contained $5,695 waiting to be claimed.

All I had to do was reply and begin the ownership confirmation process.

The sender was using Gmail. The contact method was Telegram. And hidden inside the message was a tracking link.

That was the moment the investigation began.

Discuss your environment Back to briefings

Agent Foskett investigation into a suspicious email, Telegram contact request and tracking link

Briefing summary

A suspicious email promised money from an inactive account. The sender used Gmail, pushed the recipient toward Telegram and included a Google Apps Script link with tracking parameters. The money was bait. The interaction was the signal.

Gmail sender claiming authority

Telegram used as contact channel

Tracking link exposed the intent

What happened

The message did not need malware, attachments or a fake login page. It only needed curiosity.

The amount felt deliberate The email did not promise millions. It promised $5,695. Specific enough to sound believable. Small enough to feel realistic.

The sender had no authority The display name looked professional, but the sender address was a personal Gmail account. No company domain. No institution. No verifiable identity.

The contact path moved off email The message asked the recipient to continue on Telegram, moving the conversation into a channel with less organisational visibility and fewer controls.

The link that changed everything

The email made a claim. The URL revealed the mechanism.

https://script.google.com/macros/s/...
?email=jonathan@gemxit.com
&sender=markcalle715@gmail.com
&uid=e1efe913-aefb-4a4d-a185-074e8a02ab29
// the message was not just asking for trust; it was tracking interaction

The target was embedded The URL contained the target email address. That means the click could be tied back to a specific recipient.

The sender was embedded The sender value was also passed through the link, creating a simple way to record which campaign or mailbox generated the interaction.

The UID made it personal A unique identifier allowed activity to be correlated to one recipient, one message or one delivery attempt.

Agent Foskett moment

Everyone looked at the money. The better question was why the message needed the recipient to respond.

The money was the lure The $5,695 amount created interest without sounding completely impossible. It was designed to start the conversation.

The reply was the prize A response confirms a live mailbox, an engaged person and a potential victim willing to continue the process.

The link told the real story The tracking parameters suggested the sender cared about attribution, engagement and recipient validation.

What it was not It was not a normal financial notification. It had no institution name, no account reference and no trusted verification path.

What it actually was A social engineering message designed to move the target from curiosity to contact, and from contact to trust.

Why it matters Many scams do not begin with credential theft. They begin by finding out who is willing to talk.

What most environments miss

Security teams often search for attachments and malware. This kind of message is quieter.

Unsubscribe can be a trap Replying with unsubscribe may confirm that the mailbox is active and monitored by a real person.

Engagement has value For a scammer, a verified human can be more valuable than thousands of ignored emails.

Tracking links are evidence URL parameters, redirects and unique identifiers can reveal how the sender measures and profiles interaction.

How defenders can investigate it

The message is simple, but the investigation should still be structured.

Review the sender identity Compare display name, sender address, reply-to address, authentication results and any mismatch between claimed authority and actual domain.

Expand and inspect links Look for embedded recipient identifiers, redirectors, campaign IDs, email parameters and unusual script or form endpoints.

Hunt for similar messages Use email telemetry to find matching subjects, sender addresses, URLs, Telegram handles, body text and repeated tracking patterns.

Related investigations

The Disney Email Wasn't From Disney A familiar brand can make a message feel safe until the sender, link and authentication details are reviewed. Read more →

The Invoice Wasn't An Email. It Was A Calendar Invite Attackers can use unexpected message types to bypass the assumptions people make about email threats. Read more →

The User Clicked Accept And Gave Away The Mailbox Some attacks do not need passwords when consent, trust and a convincing prompt are enough. Read more →

The Email Came From Me Sender identity can be misleading when display names, spoofing and authentication results are not reviewed together. Read more →

SpoofedDomain In EmailEvents Microsoft Defender email telemetry can help identify when a message is impersonating a trusted domain. Read more →

EmailEvents KQL Guide Learn how to investigate sender, recipient, delivery and authentication signals using Microsoft Defender XDR. Read more →

Final thought

The first clue was not the promise of money. It was the path the sender wanted the recipient to follow.

At GEMXIT We help organisations investigate suspicious email, Microsoft Defender XDR telemetry, social engineering patterns and identity compromise risk across Microsoft 365 environments. If you want to understand how this applies to your environment, see our Cyber Security services.

Agent Foskett mindset Do not only ask what the email promised. Ask who sent it, where it wants the user to go, what the links reveal and what happens after the first reply.

The email claimed an inactive account held $5,695. But the sender used Gmail, the contact path led to Telegram and the tracking link carried recipient-level identifiers. Explore related investigations including The Disney Email Wasn't From Disney, The Email Came From Me, and the EmailEvents KQL Guide.

Develop IT. Protect IT. GEMXIT PTY LTD | GEMXIT UK LTD