ID 2093: Email reported by user as malware or phish involving one user
Email reported by user as malware or phishing| alex.peprah@manytek.org | Malicious Email from IP Hong Kong| Malicious URL| QR code attachment | Block sender and delete email
Summary:
On May 30, 2026 10:22 AM MSOC Team received an alert titled “Email reported by user as malware or phish involving one user”. the alert was triggered because the user Alex Peprah received suspicious email from The sender “security-alert@rnicrosoft.com” IP address “114.29.236.247” Located in Hong Kong.
Domain has been reported as malicious by OSINT Tools. All 3 Authentication failed DMARC Compliant (No DMARC Record Found), SPF Authenticated, DKIM Authenticated. dynamic analysis showed that the 1st URL leads to a page that is not found. 2nd URL takes you to a regular Copilot page to personalize the feed. The QR code attachment Scan leads to the 2nd URL page which is not malicious.
5Ws
who: Alex Peprah
what: This alert is triggered when email from ecurity-alert@rnicrosoft.com is reported as malware or phish by users(Alex Peprah)
where : 2 Mailboxes
when: May 30, 2026 10:22 AM
why: phishing email can compromise users’ credentials which could lead to a further damage causing the whole network system to suffer.
User Information:
Name: Alex Peprah
Job Title: Training Director
Department: Education & Workforce Development
Manager: EMMANUEL DAMPTEY
Email Information:
Senders Email address: security-alert@rnicrosoft.com
IP address: 114.29.236.247
Subject: Action Required: Office 365 Security Alert
Return path: security-alert@rnicrosoft.com
Email reported: May 30, 2026 2:22 PM
IP Information: 114.29.236.247
Organization (ISP): cloudwebmanage platform
ASN: 64022
Hostname(s): emkei.cz
Domain Name: cloudwm.com
Country/Region: aberdeen, hong kong
Carrier: kamatera inc.
This was reported 5 times. confidence of abuse is 0%
MITRE ATT&CK:
Category: Threat management
Techniques: T1566
Detection source: MDO
Service source: Office 365
Action/Recommendation:
Please verify with the user if they clicked on any link from the email. If yes, please reply immediately to us to find out what happened when the link was clicked so we can further investigate the damage. if the user didn’t then, it is recommended to block the sender and deleted the email from the inbox.
OSINT Reference:
IP:
VirusTotal: 2/91 security vendors flagged this IP address as malicious/Phishing
https://www.virustotal.com/gui/ip-address/114.29.236.247
AbuseIPDB: This IP was reported 5 times. Confidence of Abuse is 0%
https://www.abuseipdb.com/check/114.29.236.247
Domain
17/91 security vendors flagged this domain as malicious
https://www.virustotal.com/gui/domain/rnicrosoft.com
Header
https://mxtoolbox.com/Public/Tools/EmailHeaders.aspx?huid=48efb9ec-6c1a-4d47-b53e-7c178f386a6e
URL
https://quik-apps.com.co/ref
No security vendors flagged this URL as malicious
https://www.virustotal.com/gui/url/98db72fa6f9a47e5f1213c6149588c501078fd70e3c4a5149fc49e9150da3776
https://www.google.com/url?q=amp/apis.google.com%252Fadditnow%252Fl%253FapplicationId%253D1%2526__ls%253Dogb%2526__lu%253Dhttps%253A%252F%252Fmilkujeans.com.py/redirect=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzUxMiJ9.eyJjYW1wYWlnbklkIjoiNWFiYmY2MjQtOTc3ZC0xMWVmLWJhZWItMjk2ZWI2NWZmZDY2IiwiZW1haW-oner2/%253Femail%253DYW5uaWtraS5kZWxhY2V5QGNvbG1hcmJydW50b24uY28ubno=
No security vendors flagged this URL as malicious
https://www.virustotal.com/gui/url/e298e40513ebf34756259e2fd31b24e50f72cc4cb84c04f90e9ab787bdf9614e