#36188 FW: Hunt & Fox PLLP sent you a New Submission & Adjusted Statement/Invoice Data File
Resolved
2 Normal
Created Oct 23, 2025, 7:45 PM
Resolved Oct 31, 2025, 12:10 AM
System (internal)
Oct 23, 2025, 7:45 PM
Check-in (internal)
Oct 23, 2025, 7:45 PM
Hi Peet, I received another hack email, this time from Pat Fox. I wanted to let you know that when I got the original email from Pat, I did click on the attachment but I did not go further once the attachment opened and showed a Sharefile link. I stopped and emailed Pat at that point. I am not sure how I would have been able to determine that this was a hack email; but wanted to give you a heads up in case there is any concern. Thanks, Hannah From: Pat Fox <[email protected]> Sent: Thursday, October 23, 2025 12:20 PM To: Hannah Higgins <[email protected]> Subject: Re: Hunt & Fox PLLP sent you a New Submission & Adjusted Statement/Invoice Data File Hi Hannah - Pls disregard. The account was hacked althought I have confirmed the only thing that occurred was this email. Thanks, Sincerely, Pat Patrick T. Fox Hunt & Fox PLLP 32 S. Ewing, Ste. 308 PO Box 1195 Helena MT 59624 Ph: 406-442-8552 x 102 Fax: 406-495-1660 On Oct 22, 2025, at 2:07 PM, Hannah Higgins <[email protected]> wrote: Hi Pat, I am not sure that this email was meant for me. Can you please confirm? Thanks, Hannah I. Higgins <image001.png> 235 E. Pine, P.O. Box 9440 Missoula, MT 59807-9440 (406) 721-4350 ext. 189 Offices in Missoula and Bozeman, Montana This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return email and delete this communication and destroy all copies. From: Pat Fox <[email protected]> Sent: Wednesday, October 22, 2025 11:50 AM To: Pat Fox <[email protected]> Cc: Pat Fox <[email protected]> Subject: Hunt & Fox PLLP sent you a New Submission & Adjusted Statement/Invoice Data File Good afternoon , Please find the attached for your reference. For security purposes, the document is protected. Access Code is 2025 Should you need any further assistance please don't hesitate to reach out. We are happy to help! Thank you, Sincerely, Pat Patrick T. Fox Hunt & Fox PLLP 32 S. Ewing, Ste. 308 PO Box 1195 Helena MT 59624 Ph: 406-442-8552 x 102 Fax: 406-495-1660
Artichoke Support - Peet (internal)
Oct 23, 2025, 11:55 PM
Hi Hannah, You did the right thing by stopping when the attachment tried to send you elsewhere. Looking at the details, this message follows a textbook credential-harvesting pattern: - You weren’t expecting an invoice from [email protected] — that alone should raise suspicion. - The message was addressed from, to, and cc’d to [email protected], which doesn’t make sense for legitimate correspondence. - The attached file name, Hunt & Fox PLLP.pdf, was overly generic. Real invoices typically include a client name or reference number. - The attachment was “locked” with an access code conveniently included right in the same email — a tactic used to bypass automated attachment scanning, not protect data. - Opening that file redirected to box.com, where a second file called scnned-wed-22-2025.pdf appeared — misspelled, generic, and inconsistent with professional document naming. - That second file linked to a fake Microsoft 365 sign-in page at hxxps://gateway[.]koochoka[.]sa[.]com/JR@oltos18F/, prompting you to “sign in to view the document that was shared with you” and displaying the reference SCN-39405-PDF-00396120. If this were legitimate, you would have been asked to open an encrypted PDF using a password sent in the same message, follow a link inside it to a third-party site, open another vaguely named file, and then sign in again on an unrelated domain — a chain of steps that no real firm would ever require just to share an invoice. You didn’t go far enough for any harm to occur, but this is a good reminder that slowing down to check sender logic, file naming, and link destinations is the best defense. If anything similar shows up again, definitely take advantage of the Report button in Outlook or forward it over as an attachment for a quick look. Thanks.Peet
Ticket Automation (internal)
Oct 31, 2025, 12:10 AM
Automation AutoResolve-Waiting for Customer ran on this ticket. Actions: Change Status to Resolved
| Started | Ended | Hours | Notes |
|---|---|---|---|
| No time entries | |||