Fake phishing email from Avast targeting yahoo.com domain

[REDACTED]

There is a spear phisher posing as Avast.com and sending billing emails using the data extracted from the Yahoo.com breaches. I moved all my critical accounts off yahoo last month, and was also alerted to the addition of a billing password inside the email. How suspicious. 

The email contains links

• images.telechargement.fr
• post.spmailtechno.com

and


What was a real doozie, is the phisher uses a DKIM cert authenticating them to the spmailtechno.com domain. And, Avast will see NO virus in the email. From the header:

X-Antivirus: Avast (VPS 17021100)
X-Antivirus-Status: Clean
X-Apparently-To: ********@yahoo.com; Sat, 11 Feb 2017 10:07:41 +0000
Return-Path: <msprvs1=17215CskhSGcw=bounces-39885@spmailtechno.com>
Received-SPF: pass (domain of spmailtechno.com designates 35.163.132.52 as permitted sender)
X-YMailISG: i6Qe6wEWLDvdyJSIpLuI6fVeDytvzEjFIMBQ8UqXg11dMlPg
 bYS9WFG4SLrrcdwV4KuBt8qyeHYaQQJynfvXI1QWBtJ9oi692xkEHfCm6o6x
 lqay6S_mZw6xSw49JMiX5UUnCGyu7dnsQBXXcUqFO6V.yC5vQiLkDL4gtmf7
 69fee_hHMyCXtRa7dK1.AMC3qHRnBQhPgO1CJ3S2vvGDhFcw6st26IjSpU6D
 5_1Ahsdxgiv3F8_W3hnfOfQ1KlJuBub3kOUHEhVwKXpiqGcg3vQobaSg7MdS
 kpeyfzdofeD0vhvD7Rq4h78DMeNJqSa6HnYsJd.RBTK9K5Zj8WhpO_4nonVR
 jHg5gcU4zKmgtCFBhcuqP7wHHAdcYUklcyrJS1UmsnTulK_1nnLkX12FXxws
 cJjDOTZizH12kVgUFx70JuCZNnckTPXsY55MfDlf.VDjBEKLYUeUOxA8rQEe
 w2DkB6U5jwmFHZETCgddjcPkzpjuAgLPfE_Kie4iP.XyMHt_nwtlkZ6N3Yi_
 DZdvRW2mjs1EFZ71_XEarNErJAln.FbpADKxXkYpuB1XMfsNbyEkbaFeuEYU
 DLBKMrUIuXfNVK9VJaEWsm7G0LManhQuowqEMaNW4KK6QWilPqh00vpn4lk_
 j2y7O0CDEBqfI8ifgxZ37Co9PXiuSOm0IK1X4CF_BdIsIOqtFfTpViGGppkV
 EblofZ0nvkj.BOiInZifxudEyz1ekTCrm2r64QTBMtRtEP.cHATROrvWiKqp
 gmcCDypYLa9Zz2oAvtXEiiGBMWGBocGvJdgOkoZZ7bG7E7SXlFsYgRo9.HXa
 zMUw_pE3qvphW4ian8V6gvEMvRfpG8wB3yaEa0.ROwlIXyIBtwBz0xWHVFB2
 9GR14kd5lQcJbpqFoac5frBOsSwYZLSnhxTUDyF5FTxezBKBA0IC4rl33iYV
 lJ1biLLfGL0Yc9wfTuxJzUnkK_hwddvYRk6yKSSlCr33okNEBb7JFzHwtRzy
 soHWiqBq4PjqhyvewfZMzFu1p1dTWhdEAdw_VgdfZAqX3F8n0HSdVdvf1qkf
 QMQ11oYbVHDU8L4fP6NhUCGqazVeUuaHQxrhKsa90rWLk1wESYraV6fetWHg
 1ZD.QtPzH7gDbrgMcJcW7MCfLHV6Koh8pOsLpQXxTHg4QbLo7SWo73L5EQoA
 t7MnzvIJnyTbQzLx7x7n47DPthWfjB7Cg4LFXtOzZpuvsCHjn2WdWMrsDBf9
 k0MjKglgpmBSglgaMMXi7JzpMW3NZvVc3oE_PNyi5.nNPRmZTwptIhYXjkFo
 wbgGIlcxZzUmFG_UU3d52oH7tFl3INlV74Pce2v4fyJEJ.XLKhO1boy._kD5
 o2JnZazq6S9JX6Lmwq0L_dJSRJgFu0kTw26s2NcPMvRIygvI4ry1GR7.tHoZ
 4uBilIm1S4gluQLtp86J4NMgBpaoOwf3vl2FoexJsdicOiWWY9NDWwEMap5d
 E6Z9hQ5qLuC6NYIpq5V3iqNETWxQ1Fouin3dD1LlsJKZy_OcNSRMC0AJ1EYS
 itedrCcowZYtbVW8KL5RpjIT1yg1zVOCvqgCNIAW01rsJA3OAaqxF9v.7iPk
 qtDb3Yrmq5oLGkGsb_yjJF3EcXOXbwQ7H9Uxuzj389h60kanHyG8X3yJB3Wv
 fZp3D.LB77Wy7.HpwkYXDg0s
X-Originating-IP: [35.163.132.52]
Authentication-Results: mta1234.mail.bf1.yahoo.com  from=avast.com; domainkeys=neutral (no sig);  from=spmailtechno.com; dkim=pass (ok)
Received: from 127.0.0.1  (EHLO mta210.spmta.com) (35.163.132.52)
  by mta1234.mail.bf1.yahoo.com with SMTPS; Sat, 11 Feb 2017 10:07:41 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=avast.com;
   s=scph0416; t=1486807660; i=@avast.com;
   bh=qQPrQqspYrR4c15VCr7Eef30LPplm8D5NLIvwdqRBhM=;
   h=To:Date:Subject:From;
   b=awwRR208dYylA0lkznSIIlOImWX2VZkVy4aZRxZ+MNkkzd+68HhlYUco2Y+RUbCOQ
    OGqfP3mUWrNkbCy/t7FDQX2LWyEgN5mTxuMlfpo7mGVuGEPpGDBQzb8ifnntzNbmkc
    2G3Pt+LOPH8Z0MrP2pM/EdA3TdvsjyJcox/6sgrg=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=spmailtechno.com;
   s=ssp0516; t=1486807660; i=@spmailtechno.com;
   bh=qQPrQqspYrR4c15VCr7Eef30LPplm8D5NLIvwdqRBhM=;
   h=To:Date:Subject:From;
   b=TMrP6lQu6FV710Pc2s1eWoMHMLReeVS1wtiUPJQ0IcVv9/8JFYEXCecJ1ORSKgR7J
    uH9mMWdlEFhM2XF/cFzjsVcehkDaox8SNc3jAKJAZazI2ENCGxWj6tj0lzQkTKZA4m
    Tnt87LX/PgLjtk3/7Jo5CsZjxHcyCdrRVdjeb50E=
X-MSFBL: XPhzmjljscjKxCoTtEVJAVUEsAcv7dCGDWlyzRhwY18=|eyJmcmllbmRseV9mcm9
   tIjoibm9yZXBseUBhdmFzdC5jb20iLCJpcF9wb29sX3JhdyI6ImdlbmVyYWxfMSI
   sInNlbmRpbmdfaXAiOiIzNS4xNjMuMTMyLjUyIiwic3ViYWNjb3VudF9pZCI6IjA
   iLCJpcF9wb29sIjoic2hhcmVkIiwiZyI6ImJnX2dlbmVyYWxfMSIsInRlbXBsYXR
   lX3ZlcnNpb24iOiIwIiwiY3VzdG9tZXJfaWQiOiIzOTg4NSIsInRlbmFudF9pZCI
   6InNwYyIsInJjcHRfbWV0YSI6eyAiWC1BcGltYWlsLVRhZ3MiOiAiU1VCLUNPUkU
   tSUQtMzg1MzczNSxTVUItRVhUSUQtMzg1NjYxOCxDVVNUT01FUi1JRC0xNDQwMDk
   3OCxNQUlMLUVWRU5ULVRZUEUtUEFZTUVOVEZBSUxVUkUsU1VCLVNFUlZFUi1BVkF
   TVElQU19BVUQsU1VCLURFTFRBLTgsU1VCLU1PREVMLUFWQVNUX0FCT18xWSxTVUI
   tR0VORVJBVElPTi0wIiB9LCJ0ZW1wbGF0ZV9pZCI6InRlbXBsYXRlXzEyMDU1ODM
   xMTA1MzU0NDk3NCIsIm1lc3NhZ2VfaWQiOiIwMDA2NmNlMjllNTg2MThhMDI5MCI
   sInRyYW5zbWlzc2lvbl9pZCI6IjEyMDU1ODMxMTA1MzU0NDk3NCIsInRyYW5zYWN
   0aW9uYWwiOiIxIiwiciI6InNoYXVuYW1jZ2VlMjAwMEB5YWhvby5jb20iLCJiIjo
   iaXBfMzUuMTYzLjEzMi41MiIsInJjcHRfdGFncyI6WyBdfQ==
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="UTF-8"

[DavidR]

I have reported this to try and get some avast input on it.

[HonzaZ]

Could you post the email body? Both the links are now dead and contain no phishing.

[REDACTED]

This one is still out there.  I just got a message similar to the OP on 29 July.