"From: Ewan.McAndrew@ed.ac.uk invoicing@kibamf.com" Sigh,Thanks for the mail, Katie.
Here I blame many email clients that show only the real name. «Your name is "john.doe@example.com"? That's not a problem, I think it will be enough to show that, no need to additionally mention that your email is gangster@evilguys.biz» And there are some really popular ones doing this. :( Not sure how these will turn out if evilguys.biz set up DMARC, once we additionally add From-header replacement into the mix.
Obviously, the link from the email leads to a virus download, so be careful those peeking at it: https://www.virustotal.com/#/file/17bba5b4fbf997163f1f0f316b5bc08bd1cdde4e8c...
Note: I am a bit confused by the mention on the thread of " Ewan.McAndrew@ed.ac.uk< liane.eichenberger@buendes-bueroservice.de>" were there *several* phishing emails with a "Ewan name"? If they continue playing impersonating Ewan that way, emails using such name could be blocked with a regex in the list config.
Regards
PS: Gmail is complaining that ed.ac.uk email server doesn't support STARTTLS That is something they can implement, unlike avoiding such messages.