How Concerning Is This X-CU-modified: FAKECU Text Attack?

Question

A user clicked on the link of this email and entered their credentials, thinking the message was legitimate. However, the link didn't redirect to the fake site, and instead their mail client sent them to the link as it was displayed (the real mail server's web portal).

What is this (from the raw email)? X-CU-modified: FAKECU Text https: //mail.dept.example.com/ to https: //gradingzimbra.000webhostapp.com/

And which type of mail clients would actually go to the fake website?

The message appears to be duplicated in HTML, but didn't seem to render in the user's Apple mail, or in my Google Apps mail when the original email was forwarded to me.

I'm not sure it why it didn't go to spam for the user, and I don't want to send out an unnecessary warning if this attack is not actually effective. Is it?

Original Message

Message ID  <22037855.28441569517194413.JavaMail.root@mail.metrocat.com>
Created at: Thu, Sep 26, 2019 at 12:59 PM (Delivered after 7 seconds)
From:   "Admin@dept.example.com" <thanadet.kupv@metrocat.com> Using Zimbra 6.0.0_RC1_1684.RHEL5 (zclient/6.0.0_RC1_1684.RHEL5)
To: 
Subject:    FOR ALL USER !!
SPF:    NEUTRAL with IP 128.b.c.d Learn more


Download Original   Copy to clipboard   
Delivered-To: louis@example.com
Received: by 2002:a02:a119:0:0:0:0:0 with SMTP id f25csp2412359jag;
        Thu, 26 Sep 2019 10:00:02 -0700 (PDT)
X-Google-Smtp-Source: APXvYqzfEjcMNIfl22lzB/LJ5Fh5yGrFWMGw9MPMkzUFnZnVmFTP+kqrft7Vmfd6VduO6bJHSXb/
X-Received: by 2002:a37:a544:: with SMTP id o65mr4262426qke.422.1569517202451;
        Thu, 26 Sep 2019 10:00:02 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1569517202; cv=none;
        d=google.com; s=arc-20160816;
        b=In55GzFNV3oDe+r4J7H4DRMa13eVGkjJrAf4J6UOxr7GyOvR299PuAI+L0t29DQkR
         Jy7+wQNHh0LOJUwm1ilNJisGyTu9F2ZYO4Zz+N74Y4VTa7nR2kzRaL9Gj2aZPrzl7AK8
         m6ck9kvqTdrtBzf1vkaJdOfbOWKzPkZPYyH3Cx0buS8pzMaBqgF+Qlo2vEu4SuY0vfTi
         JMnhk0xxbgsm9TYxrqsM+68QQNRfrIE89nUni7aWF8RFSzIXYHX9/+ikjfYYmlguHcu3
         ljUnMyz2rPWabkUdvm8EEZs7JL4y4jrKXQGGo4iRts48CWrWy6mJ/FCr28Z1E2JfwkWE
         qnLQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=to:mime-version:subject:message-id:reply-to:from:date;
        bh=0C1ERzO2hJ1GD5BjS+y2OCbaEwwYX8Typ8cL6/mkJwA=;
        b=kEBII9kQXej2zV9T4NIvZqT3DXkSOngnV65ud7Mg/Fu3zIL+6ztbptLl/gcmMt+Zlu
         VHaTkRSRs3/0heij/rMMXrWqXStwqwYadLbGMdSdM8c6TXqkTX9S12P6XzCQ0HJ+HSpn
         yQ/H+klxw6vXt2EpYPRW7gBkhQMAuixOefS1y5zSvu3FxWGnuij97txDy5D4qCwQkTM
         AyHaCKPD8TiCYCf4V9Qxt3wNPAyxZSshOVRMR7BqdAZWpN0cmzEf60xu4OlShuiHmZ23
         X88XHhBYkgxViHw3dfTxVJLADiLJIjJDCQ5yhgq+Ffvp+uKSl7ZAyLta0aa6rVIjHk4B
         n8GA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=neutral (google.com: 128.b.f.e is neither permitted nor denied by domain of thanadet.kupv@metrocat.com) smtp.mailfrom=thanadet.kupv@metrocat.com
Return-Path: <thanadet.kupv@metrocat.com>
Received: from inprodmail06.cc.example.com (inprodmail06.cc.example.com. [128.b.c.d])
        by mx.google.com with ESMTPS id l8si2249383qkj.114.2019.09.26.10.00.00
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Thu, 26 Sep 2019 10:00:01 -0700 (PDT)
Received-SPF: neutral (google.com: 128.b.f.g is neither permitted nor denied by domain of thanadet.kupv@metrocat.com) client-ip=128.b.f.g;
Authentication-Results: mx.google.com;
       spf=neutral (google.com: 128.b.f.g is neither permitted nor denied by domain of thanadet.kupv@metrocat.com) smtp.mailfrom=thanadet.kupv@metrocat.com
Received: from dept.example.com (paradox.dept.example.com [128.b.f.g]) by inprodmail06.cc.example.com (8.14.4/8.14.4) with ESMTP id x8QGxw1i010520 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Thu, 26 Sep 2019 12:59:58 -0400
Received: from localhost (localhost [127.0.0.1]) by dept.example.com (Postfix) with ESMTP id 79621401790; Thu, 26 Sep 2019 12:59:47 -0400 (EDT)
X-Virus-Scanned: amavisd-new at dept.example.com
Received: from dept.example.com ([127.0.0.1]) by localhost (dept.example.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RDcz4Gx9SWav; Thu, 26 Sep 2019 12:59:46 -0400 (EDT)
Received: from mail.metrocat.com (mail.metrocat.com [203.130.129.172]) by dept.example.com (Postfix) with ESMTP id 958BB40178F; Thu, 26 Sep 2019 12:59:45 -0400 (EDT)
Received: from localhost (localhost.localdomain [127.0.0.1]) by mail.metrocat.com (Postfix) with ESMTP id 2D3821E805E; Thu, 26 Sep 2019 23:59:55 +0700 (ICT)
X-Virus-Scanned: amavisd-new at metrocat.com
Received: from mail.metrocat.com ([127.0.0.1]) by localhost (mail.metrocat.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x2nHz3R7dvL1; Thu, 26 Sep 2019 23:59:54 +0700 (ICT)
Received: from mail.metrocat.com (mail.metrocat.com [203.130.129.172]) by mail.metrocat.com (Postfix) with ESMTP id 832671D8015; Thu, 26 Sep 2019 23:59:54 +0700 (ICT)
Date: Thu, 26 Sep 2019 23:59:54 +0700 (ICT)
From: "Admin@dept.example.com" <thanadet.kupv@metrocat.com>
Reply-To: "Admin@dept.example.com" <noreply@dept.example.com>
Message-ID: <22037855.28441569517194413.JavaMail.root@mail.metrocat.com>
Subject: FOR ALL USER !!
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_2519_3754648.1569517194412"
X-Originating-IP: [105.112.96.85]
X-Mailer: Zimbra 6.0.0_RC1_1684.RHEL5 (zclient/6.0.0_RC1_1684.RHEL5)
To: undisclosed-recipients:;
X-CU-modified: FAKECU Text https: //mail.dept.example.com/ to https: //gradingzimbra.000webhostapp.com/
X-Spam-Score: 3.502 (***) CU_PHISH_42 CU_SUBJECT_BANGBANG HTML_MESSAGE HTTPS_HTTP_MISMATCH KHOP_HELO_FCRDNS SUBJ_ALL_CAPS TVD_PH_BODY_ACCOUNTS_PRE CU_SPF_neutral
X-Scanned-By: MIMEDefang 2.84 on 128.b.c.d

------=_Part_2519_3754648.1569517194412
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit

    Zimbra Mail Support your account has been
successfully updated to the latest version of Zimbra mail server with 2G 8.0.8
additional space on the web. You can now access the latest 8.0.8 version of the
Zimbra email by clicking on the links below protected administrator, sign in
with your username and password to access the latest version 8.0.8 of the
software code open Zimbra server email server and client devices to messaging
and collaboration faster.

https://mail.dept.example.com/

Greetings,

Tim Zimbra Webmail.
------=_Part_2519_3754648.1569517194412
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: 7bit

<html><head><style> body {height: 100%; color:#000000; font-size:12pt; font-family:Times New Roman,helvetica,clean,sans-serif;}</style></head><body><p class="MsoNormal" style="margin-bottom:0in;margin-bottom:.0001pt;line-height:
normal;background:white"><span style="font-size:12.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;;
mso-fareast-font-family:&quot;Times New Roman&quot;;color:#222222"><span style="mso-spacerun:yes">&nbsp;&nbsp;&nbsp; </span>Zimbra Mail Support your account has been
successfully updated to the latest version of Zimbra mail server with 2G 8.0.8
additional space on the web. You can now access the latest 8.0.8 version of the
Zimbra email by clicking on the links below protected administrator, sign in
with your username and password to access the latest version 8.0.8 of the
software code open Zimbra server email server and client devices to messaging
and collaboration faster.<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-bottom:0in;margin-bottom:.0001pt;line-height:
normal;background:white"><span style="font-family:&quot;Arial&quot;,&quot;sans-serif&quot;;
color:#0070C0"><!-- <a href="https://gradingzimbra.000webhostapp.com/"> --><span style="color:#0070C0">https://mail.dept.example.com/</span><!-- </a> --></span><span style="font-size:12.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;;mso-fareast-font-family:
&quot;Times New Roman&quot;;color:#222222"><o:p></o:p></span></p>

<p class="MsoNormal" style="margin-bottom:0in;margin-bottom:.0001pt;line-height:
normal;background:white"><span style="font-size:12.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;;
mso-fareast-font-family:&quot;Times New Roman&quot;;color:#222222">Greetings,<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-bottom:0in;margin-bottom:.0001pt;line-height:
normal;background:white"><span style="font-size:12.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;;
mso-fareast-font-family:&quot;Times New Roman&quot;;color:#222222">Tim Zimbra Webmail.<o:p></o:p></span></p></body></html>
------=_Part_2519_3754648.1569517194412--

Answer 1

From my understanding the message originally tried to fool the user into clicking some seemingly expected link (as shown in the text) which in reality is a different link (href attribute in the actual link), i.e. something like

<a href=http://attacker> 
http://example.com 
</a>

This trick was successfully neutralized by some secure mail gateway by commenting out the wrong reference:

<!-- <a href=http://attacker> -->
http://example.com 
<!-- </a>  -->

The secure mail gateway added information what it did in the non-standard X-CU-modified field of the mail header.

Because of this neutralization the trick of the attacker no longer worked, i.e. the user ended at most at the site shown and not at the site intended by the attacker. Thus you don't have to worry about this any longer. But you might thank your IT department for successfully protecting you.