Artifact 1

ID 2093: Email reported by user as malware or phish involving one user

Email reported by user as malware or phishing| alex.peprah@manytek.org | Malicious Email from IP Hong Kong| Malicious URL| QR code attachment | Block sender and delete email

Summary:

On May 30, 2026 10:22 AM MSOC Team received an alert titled “Email reported by user as malware or phish involving one user”. the alert was triggered because the user Alex Peprah received suspicious email from The sender “security-alert@rnicrosoft.com” IP address “114.29.236.247” Located in Hong Kong.

Domain has been reported as malicious by OSINT Tools. All 3 Authentication failed DMARC Compliant (No DMARC Record Found), SPF Authenticated, DKIM Authenticated. dynamic analysis showed that the 1st URL leads to a page that is not found. 2nd URL takes you to a regular Copilot page to personalize the feed. The QR code attachment Scan leads to the 2nd URL page which is not malicious.

5Ws

who: Alex Peprah
what: This alert is triggered when email from ecurity-alert@rnicrosoft.com is reported as malware or phish by users(Alex Peprah)
where : 2 Mailboxes
when: May 30, 2026 10:22 AM
why: phishing email can compromise users’ credentials which could lead to a further damage causing the whole network system to suffer.

User Information:
Name: Alex Peprah
Job Title: Training Director
Department: Education & Workforce Development
Manager: EMMANUEL DAMPTEY

Email Information:
Senders Email address: security-alert@rnicrosoft.com
IP address: 114.29.236.247
Subject: Action Required: Office 365 Security Alert
Return path: security-alert@rnicrosoft.com
Email reported: May 30, 2026 2:22 PM

IP Information: 114.29.236.247
Organization (ISP): cloudwebmanage platform
ASN: 64022
Hostname(s): emkei.cz
Domain Name: cloudwm.com
Country/Region: aberdeen, hong kong
Carrier: kamatera inc.
This was reported 5 times. confidence of abuse is 0%

MITRE ATT&CK:

Category: Threat management
Techniques: T1566
Detection source: MDO
Service source: Office 365

Action/Recommendation:

Please verify with the user if they clicked on any link from the email. If yes, please reply immediately to us to find out what happened when the link was clicked so we can further investigate the damage. if the user didn’t then, it is recommended to block the sender and deleted the email from the inbox.

OSINT Reference:

IP:
VirusTotal: 2/91 security vendors flagged this IP address as malicious/Phishing
https://www.virustotal.com/gui/ip-address/114.29.236.247

AbuseIPDB: This IP was reported 5 times. Confidence of Abuse is 0%
https://www.abuseipdb.com/check/114.29.236.247

Domain
17/91 security vendors flagged this domain as malicious
https://www.virustotal.com/gui/domain/rnicrosoft.com

Header
https://mxtoolbox.com/Public/Tools/EmailHeaders.aspx?huid=48efb9ec-6c1a-4d47-b53e-7c178f386a6e

URL
https://quik-apps.com.co/ref
No security vendors flagged this URL as malicious
https://www.virustotal.com/gui/url/98db72fa6f9a47e5f1213c6149588c501078fd70e3c4a5149fc49e9150da3776

https://www.google.com/url?q=amp/apis.google.com%252Fadditnow%252Fl%253FapplicationId%253D1%2526__ls%253Dogb%2526__lu%253Dhttps%253A%252F%252Fmilkujeans.com.py/redirect=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzUxMiJ9.eyJjYW1wYWlnbklkIjoiNWFiYmY2MjQtOTc3ZC0xMWVmLWJhZWItMjk2ZWI2NWZmZDY2IiwiZW1haW-oner2/%253Femail%253DYW5uaWtraS5kZWxhY2V5QGNvbG1hcmJydW50b24uY28ubno=

No security vendors flagged this URL as malicious
https://www.virustotal.com/gui/url/e298e40513ebf34756259e2fd31b24e50f72cc4cb84c04f90e9ab787bdf9614e