National Bank phishing email with subject Tax Residency Verification - Mandatory Renewal of Form

For the record, this is a National Bank phishing email attempt that is recently going around, with subject "Tax Residency Verification — Mandatory Renewal of Form"

What to do?  

Report them, goto bottom of page. 

From : helpdesk@griolk.com Subject : Tax Residency Verification — Mandatory Renewal of Form

PHISHING LINKs;

1. https://nbdb-entryt.com/?token=xxxxxxxxxxxxxxxxxx

How to tell this is a Phishing email ?

1. Check email address in full, if it's not from originating company then it's phishing.
2. Hover over images and all links in email, if it's not from the company's website then forget it. 

How to examine Email Message Source?

Now let's look at message source

1. Outlook.com->Actions->View Message Source. 
2. Gmail.com->More (down arrow to top right)->Show original.

Check for suspicious links, anything that does not originate from the domain.

Report Phishing Email (not as Spam)

1. Outlook.com->Junk (at Top)->Phishing Scam
2. Gmail.com->More (down-arrow to top right)->Report Phishing 

Report Phishing

If you have received this email take further 

1. https://www.google.com/safebrowsing/report_phish/

Report phishing at Microsoft and government agencies

1. http://www.microsoft.com/security/online-privacy/phishing-faq.aspx

Windows - How to check svchost.exe outgoing connections to external DNS servers other than my local DNS

How to check svchost.exe connecting to remote addresses effectively. 

I use a tool from Nirsoft that makes this easy using LiveTcpUdpWatch - View TCP/UDP network activity of every application on Windows (nirsoft.net)

Process ID	Process Name	Protocol	Local Port	Local Address	Remote Port	Remote Port Name	Remote Address	Received Bytes	Sent Bytes	Received Packets	Sent Packets	Receive Speed	Send Speed	Connect Time	Disconnect Time	Accept Time	Connections Count	Disconnect Count	Process Path	ASN	Remote IP Country	Organization	Remote IP	Remote Host Name
1672	svchost.exe	UDP IPv6	5355	ff02::1:3	49911		fe80::d4a5:1562:817:1350	48		2									C:\Windows\System32\svchost.exe				fe80::d4a5:1562:817:1350

Let's now to examine the remote address fe80::d4a5:1562:817:1350, we right-click on the line and choose



You have to get IPNetInfo: Retrieve IP Address Information from WHOIS servers (nirsoft.net) and install it in same directory, say something like C:\Program Files (x86)\Nirsoft

With the following window below, text extracted and we see it connect to IANA for DNS Server.

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/resources/registry/whois/tou/
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/resources/registry/whois/inaccuracy_reporting/
#
# Copyright 1997-2025, American Registry for Internet Numbers, Ltd.
#


NetRange:       FE80:: - FEBF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF
CIDR:           FE80::/10
NetName:        IANA-LINK-LOCAL-UNICAST
NetHandle:      NET6-FE80-1
Parent:          ()
NetType:        IANA Special Use
OriginAS:       
Organization:   Internet Assigned Numbers Authority (IANA)
RegDate:        2022-02-26
Updated:        2024-05-24
Comment:        Link-Local Unicast [RFC4291]
Ref:            https://rdap.arin.net/registry/ip/FE80::



OrgName:        Internet Assigned Numbers Authority
OrgId:          IANA
Address:        12025 Waterfront Drive
Address:        Suite 300
City:           Los Angeles
StateProv:      CA
PostalCode:     90292
Country:        US
RegDate:        
Updated:        2024-05-24
Ref:            https://rdap.arin.net/registry/entity/IANA


OrgAbuseHandle: IANA-IP-ARIN
OrgAbuseName:   ICANN
OrgAbusePhone:  +1-310-301-5820 
OrgAbuseEmail:  abuse@iana.org
OrgAbuseRef:    https://rdap.arin.net/registry/entity/IANA-IP-ARIN

OrgTechHandle: IANA-IP-ARIN
OrgTechName:   ICANN
OrgTechPhone:  +1-310-301-5820 
OrgTechEmail:  abuse@iana.org
OrgTechRef:    https://rdap.arin.net/registry/entity/IANA-IP-ARIN


#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/resources/registry/whois/tou/
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/resources/registry/whois/inaccuracy_reporting/
#
# Copyright 1997-2025, American Registry for Internet Numbers, Ltd.
#

AI Content

What is fe80::d4a5:1562:817:1350?

• This is a link-local IPv6 address, part of the fe80::/64 range.

• Link-local addresses are automatically assigned to network interfaces for communication within the same local network segment.

• They are not routable on the internet and are used for internal purposes like device discovery and service resolution.

Why is svchost.exe connecting to it?

• svchost.exe hosts many Windows services. In this case, it's likely handling:

  • LLMNR (Link-Local Multicast Name Resolution): Resolves names without DNS.

  • NDP (Neighbor Discovery Protocol): Detects other devices and configures network settings.

  • mDNS or SSDP: Service discovery protocols used by apps and devices.

These protocols use UDP over IPv6 to communicate with nearby devices using link-local addresses like fe80::d4a5:1562:817:1350.

🔐 Is this safe?

• Yes, this is normal behavior in IPv6-enabled networks.

• It’s part of how Windows discovers and interacts with other devices (printers, routers, etc.).

• If you're concerned about privacy or traffic:

  • You can disable unused IPv6 features or the IP Helper service.

  • Use tools like Wireshark or Process Explorer to monitor activity.

IANA server ? 

The connection to fe80::/64 by svchost.exe on Windows 7 is not to an IANA server—it’s a local link-local IPv6 address used for internal network communication.

Here's a breakdown of what’s happening and why:

What is fe80::/64?

• fe80::/64 is a reserved IPv6 address range for link-local communication.

• These addresses are automatically assigned to network interfaces and are only valid within the local network segment.

• They cannot be routed across the internet and are not associated with IANA servers or any external organization.

Why is svchost.exe connecting to it?

• svchost.exe is a generic host process that runs Windows services.

• In this case, it's likely hosting the IP Helper service (iphlpsvc), which supports IPv6 features like:

  • LLMNR (Link-Local Multicast Name Resolution) for name resolution without DNS

  • Neighbor Discovery Protocol (NDP) for detecting other devices on the local network

  • Multicast DNS (mDNS) or other service discovery protocols

These services use UDP over IPv6 to communicate with other devices on the same local network using link-local addresses like fe80::d4a5:1562:817:1350.