IDK who Deb Eskew is, but I certainly glanced askew when reading this. See how many red flags you can spot. This one seems to have them all:

-unbidden attachment (which couldn't be auto-scanned for malware btw)
-no actual greeting or salutation
-a password needed to unlock the attachment
-relevant (if a bit on-the-nose) social engineering involving a podcast ostensibly focused on fraud;
-Google is clearly glancing askew here, too, but kind of tapping out on a verdict because it ultimately made it through.

KrebsOnSecurity.com celebrates its 16th anniversary today! A huge “thank you” to all of our readers — newcomers, long-timers and drive-by critics alike. Your engagement this past year here has been tremendous and truly a salve on a handful of dark days. Happily, comeuppance was a strong theme running through our coverage in 2025, with a primary focus on entities that enabled complex and globally-dispersed cybercrime services.

I'll add this spoiler, from the end:

"I am happy to report that the first KrebsOnSecurity stories of 2026 will go deep into the origins of Kimwolf, and examine the botnet’s unique and highly invasive means of spreading digital disease far and wide. The first in that series will include a somewhat sobering and global security notification concerning the devices and residential proxy services that are inadvertently helping to power Kimwolf’s rapid growth."

https://krebsonsecurity.com/2025/12/happy-16th-birthday-krebsonsecurity-com/