← Customer 13160449

#36188 FW: Hunt & Fox PLLP sent you a New Submission & Adjusted Statement/Invoice Data File

Resolved 2 Normal Created Oct 23, 2025, 7:45 PM Resolved Oct 31, 2025, 12:10 AM
System (internal) Oct 23, 2025, 7:45 PM 
Created from Lead: https://artichoke.shield.syncromsp.com/leads/35754538/convert
Check-in (internal) Oct 23, 2025, 7:45 PM 
Hi Peet,

I received another hack email, this time from Pat Fox. I wanted to let you know that when I got the original email from Pat, I did click on the attachment but I did not go further once the attachment opened and showed a Sharefile link. I stopped and emailed Pat at that point.

I am not sure how I would have been able to determine that this was a hack email; but wanted to give you a heads up in case there is any concern.

Thanks,

Hannah

From: Pat Fox <[email protected]>
Sent: Thursday, October 23, 2025 12:20 PM
To: Hannah Higgins <[email protected]>
Subject: Re: Hunt & Fox PLLP sent you a New Submission & Adjusted Statement/Invoice Data File

Hi Hannah - Pls disregard. The account was hacked althought I have confirmed the only thing that occurred was this email. Thanks,

Sincerely,

Pat

Patrick T. Fox
Hunt & Fox PLLP
32 S. Ewing, Ste. 308
PO Box 1195
Helena MT 59624
Ph: 406-442-8552 x 102
Fax: 406-495-1660

On Oct 22, 2025, at 2:07 PM, Hannah Higgins <[email protected]> wrote:

Hi Pat,

I am not sure that this email was meant for me. Can you please confirm?

Thanks,

Hannah I. Higgins

<image001.png>

235 E. Pine, P.O. Box 9440

Missoula, MT 59807-9440

(406) 721-4350 ext. 189

Offices in Missoula and Bozeman, Montana

This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return email and delete this communication and destroy all copies.

From: Pat Fox <[email protected]>
Sent: Wednesday, October 22, 2025 11:50 AM
To: Pat Fox <[email protected]>
Cc: Pat Fox <[email protected]>
Subject: Hunt & Fox PLLP sent you a New Submission & Adjusted Statement/Invoice Data File

Good afternoon ,

Please find the attached for your reference. For security purposes, the document is protected.

Access Code is 2025

Should you need any further assistance please don't hesitate to reach out. We are happy to help!

Thank you,

Sincerely,

Pat

Patrick T. Fox
Hunt & Fox PLLP
32 S. Ewing, Ste. 308
PO Box 1195
Helena MT 59624
Ph: 406-442-8552 x 102
Fax: 406-495-1660
Artichoke Support - Peet (internal) Oct 23, 2025, 11:55 PM 
Hi Hannah,

You did the right thing by stopping when the attachment tried to send you elsewhere. Looking at the details, this message follows a textbook credential-harvesting pattern:

-
You weren’t expecting an invoice from [email protected] — that alone should raise suspicion.

-
The message was addressed from, to, and cc’d to [email protected], which doesn’t make sense for legitimate correspondence.

-
The attached file name, Hunt & Fox PLLP.pdf, was overly generic. Real invoices typically include a client name or reference number.

-
The attachment was “locked” with an access code conveniently included right in the same email — a tactic used to bypass automated attachment scanning, not protect data.

-
Opening that file redirected to box.com, where a second file called scnned-wed-22-2025.pdf appeared — misspelled, generic, and inconsistent with professional document naming.

-
That second file linked to a fake Microsoft 365 sign-in page at hxxps://gateway[.]koochoka[.]sa[.]com/JR@oltos18F/, prompting you to “sign in to view the document that was shared with you” and displaying the reference SCN-39405-PDF-00396120.

If this were legitimate, you would have been asked to open an encrypted PDF using a password sent in the same message, follow a link inside it to a third-party site, open another vaguely named file, and then sign in again on an unrelated domain — a chain of steps that no real firm would ever require just to share an invoice.

You didn’t go far enough for any harm to occur, but this is a good reminder that slowing down to check sender logic, file naming, and link destinations is the best defense. If anything similar shows up again, definitely take advantage of the Report button in Outlook or forward it over as an attachment for a quick look.
Thanks.Peet
Ticket Automation (internal) Oct 31, 2025, 12:10 AM 
Automation AutoResolve-Waiting for Customer ran on this ticket. Actions: Change Status to Resolved