Likely scam — do not engage
Our AI analyst read the message body and judged it likely to be phishing.
MalwareTips analyst · message material
credential_theftThis message uses a suspicious ZIP attachment and shows signs of a compromised social media account or session hijacking.
- The email contains a ZIP archive attachment which is a common vector for delivering malware or credential-harvesting scripts.
- Visual evidence from the conversation shows multiple deleted messages and repeated 'new device' notifications, which are strong indicators of account takeover.
- There is a discrepancy between the sender's display name and the names mentioned in the conversation history, suggesting impersonation or a hijacked thread.
- The sender is using a personal iCloud account to distribute technical files and Facebook-related notifications, which is inconsistent with official platform communications.
Do not open or extract the ZIP attachment as it likely contains malware. Report the associated Facebook account as compromised and delete the email immediately.
Every scoring adjustment, in dominance order. Shows exactly how we got from 100 to the final trust number.
Why this verdict
100 → 30The scorer starts every address at 100 trust and applies each signal below in turn. Negative deltas are penalties (red), positive deltas are bonuses (emerald). Final clamped trust: 30.
- AI analyst flagged 85% phishing likelihood (credential_theft).ai_phishing_detected-43
- Screenshot OCR + visual pass flagged 65/100 phishing risk: The screenshot shows a Facebook Messenger conversation with suspicious activity, including multiple deleted messages and repeated notifications of a new device being added, which can indicate account compromise or a social engineering attempt.screenshot_phishing_visual-20
- Listed on 1 DNSBL: URIBL.dnsbl_listed-15
- Domain publishes strong authentication policy: DMARC p=quarantine · SPF soft-fail.auth_dns_published+9
- AI analyst flagged 40% spam likelihood.ai_spam_detected-6
Display name, domain reputation, and authentication checks for the From address.
Display-name impersonation
NO BRAND CLAIMThe display name doesn't resemble any of the top phished brands we track — this isn't a brand-impersonation attempt.
Brand-lookalike radar
okNo typosquat or homoglyph match against the top 50 phished brands.
Domain age
okwell-known free provider — age check skipped
Signals extracted from the message body, embedded URLs, and uploaded screenshot.
Screenshot vision analysis
VISUAL · 65/100The screenshot shows a Facebook Messenger conversation with suspicious activity, including multiple deleted messages and repeated notifications of a new device being added, which can indicate account compromise or a social engineering attempt.
- multiple deleted messages
- repeated new device notifications
- mismatched names for same contact
MX records, deliverability probe, provider classification, and DNS blocklists.
Deliverability
ok- RFC 5322 syntax valid
- 2 MX records publishedmx01.mail.icloud.commx02.mail.icloud.com
- SMTP probe · unknown — SMTP probe disabled (set SMTP_PROBE_ENABLED=true to enable)
Provider classification
okHosted on the consumer freemail provider icloud. Not a red flag in itself — billions of legitimate users — but do verify identity through other channels for anything sensitive.
DNS blocklists
okListed by 1 of 3 blocklists:
Breach history for this address and the structural identity of the sending domain.
Breach exposure (HIBP)
okHIBP_API_KEY not configured