Not a Phish this time

Last week, I needed to ask my mortgage company a question.   They responded with a Cisco Secure Mail message.  This meant I had to create a Cisco account.  Set up password reset questions.  And eventually I was able to see the message ”

Thank you for your request. We are reviewing your information and will respond as quickly as possible. If we have any questions, we will contact you.

That was a lot of security for a message that essentially says “your call is very important to us, please stay on the line and your call will be answered in the order it was received”.

Additionally, they sent a letter to my home with the same information.

Today, I received an email with subject Regarding Loan Number 325,632,897 (not the actual numbers).  There was nothing in the body of the message.  I did not recognize the sender domain.  There was a PDF attachment.

Other than Gmail allowing it to my inbox, there was every indication this was spam.

I checked out the headers and saw it passed SPF and had a dkim signature.  Turns out the domain is for a company that does technology for mortgage companies.   The file passed virustotal.  It turned out it was a reply from the mortgage company.

Kind of funny that when saying nothing at all, they make me jump through the hoops of Cisco secure mail.   But when sending an actual response it looks like phishing.