#Scam email - What's it trying to do?

Hi there,
I just got a scam email which had 2 parts, the scam (energy company bs), but hidden in the email (only visible in raw view or searches), it has the following:

<p>Hello,</p>
<p>Somebody just used this email address to sign up at Cloudflare.</p>
<p>If this was you, verify your email by clicking on the link below: https://dash.cloudflare.com/email-verification?token=7JxHtx...eY0M If this was not you, any other Cloudflare accounts you may own, and your internet properties are not at risk.</p>
<p>You can remove this account by clicking on the link below.</p>
<p>https://dash.cloudflare.com/unintended-registration Token: aa...2b9 Thanks, The Cloudflare Team</p>

Obviously hiding the tokens, but what's happening here? Is this just to make Gmail think the email isn't a scam? Is someone actually trying to log in?
Any info about what these links could do (because there's no way in hell I'm clicking them) would be great!

Is this just to make Gmail think the email isn't a scam? Is someone actually trying to log in?
i cant answer this part for you with the limited information, id think it would only truly be a legit login if it came from @ cloudflare.com and had fully valid SPF and DKIM signing though.

Any info about what these links could do (because there's no way in hell I'm clicking them) would be great!
assuming the tokens are even valid (which is possibly a reach):

• the first one verifies an account registered to whatever email the token was sent to, this one you do not want to click if its legit because it will give someone a verified account with what could be your email
• the second one is used for when someone registers an account on your email without consent and, again assuming the token is even valid, deletes the account that was created. this one, assuming the token is valid and the link actually leads to its intended destination (check for sneaky unicode characters in domain, etc.), is safe to click

This came through on my secondary email anyway, so no CF account

The thing is that like, the cloudflare part is hidden below other stuff

the email looks like that (which like, clearly a scam)

I find it so weird that they've given an email with dangerous cloudflare links, but they never render

well my point is one might have been created, thus making it potentially dangerous to click

That makes sense, i'm definitely not going anywhere near them links lol

you probably should remove the image btw, because it has the full link visible and any curious person could access it and do the potentially dangerous action

thats fair

the way you screenshotted it though makes me realise why

so there are a few different ways different email clients can interpret an email, either as html or as plain text, these are denoted by the "Part" and "content-type" sections there.

if an email client is html-compatible (most are), it will display the email as the fancy html that you saw.
if it supports text only, it will instead display the cloudflare verification links. maybe its two traps bundled into one, or maybe the bad actor has no idea what theyre doing, who knows

oh actually, nevermind, thats text/html also

but the point stands that they are two separate parts and it depends on how the email client inteprets it, maybe check the content-type of the other

interesting

I do find it weird that Apple's mail app lets you search for "cloudflare" and it comes up, but won't render it in the email

yeah that is weird

maybe theres css to hide it

Actually same in the gmail website

But it has no classes or anything

although it's outside of the whole <html> so maybe thats weird

its in a separate email part entirely

but yeah, weird

But they've gone straight for <p> not <html>

indeed

i dont think theres a great deal of insight you can surmise from this alone, but i would guess its trying to take advantage of some types of mail clients

Fair

I mean I cURL'd the links fro the first part (not cloudflare), and it has a fake "send message" form, loads of placeholder text, and script tags I don't trust

Anyway yeah, I was interested what they were trying to achieve and how dangerous them links were, so thank you!

hard to tell the overall goal sadly

Turns out at the start, there's also an EA section

but it does include this:

------=_Part_naJAsxHz_021975899757836419.IlJQGkaYdTqg
Content-Type: multipart/parallel; boundary="_9bee47b7-fc01-4dcf-a4ea-98271700f497_"

--_9bee47b7-fc01-4dcf-a4ea-98271700f497_
Content-Type: multipart/alternative; boundary="_6141f463-c090-4c07-9f5d-8aa656b2f260_"

--_6141f463-c090-4c07-9f5d-8aa656b2f260_
Content-Type: text/plain; charset=utf-8```
(EA > Solar > Cloudflare)

it could still even be possible its what you theorised, trying to avoid spam detection by posing as legit emails

lol

which one is text/plain

cloudflare

ah

so it was what i originally thought then, clients not supporting html will show the cloudflare links

so they list it in 2 different types?

and maybe some spam detections only run on the text part or something, idk

true, yeah

also should I open the unintended registration one?