Step 4: Reveal the Sender's Website Address

The purpose of this document is to show how to mouse over buttons in the body of an email to reveal the name of the sender’s website, which is typically present in spams and phishes. In this phish, the button is Keep the same password.

Why is the sender’s website name useful?
By comparing the purported sender’s name, email address and website name, you’ll be able to see how consistent they are. If inconsistent, the email is suspicious.

The purported sender in our sample email is Server Administrator, presumably the administrator at olympus.net where Jane Doe has her email. The sender is asking janedoe@olympus.net to continue with (her) current password by clicking on the Keep the same password button.

When the Keep the same password button is clicked, the recipient will go to the sender’s website, which will ask for the recipient’s email password.
Server Administrator

To reveal the button’s website address, mouse over the Keep the same password button. You may need to click the downward facing arrow. Several seconds later, the sender’s website address will appear. The website server address ends with the first / after https://. The phisher’s website address is hdrive143320860165.blob.core.windows.net/. The remainder of the address is used by the phisher to identify the recipient’s email address, janedoe@olympus.net.

The sender’s purported email address info@artsfarmwine.com and the button’s website address, windows.net, bear no resemblance to olympus.net. Those inconsistencies tell us that the email is a phish.

Introduction To Who Sent This Email?
Step 1: Spot Spam and Phishes By Appearance and Tone
Step 2: Look for Red Flags
Step 3: Reveal the Sender’s Email Address