Ledger phishing scam was just an ordinary phishing campaign with leaked emails IMO. This one looks much more sophisticated, because you really cannot tell if phishing or not beside the links inside a mail. Have seen the same coming from booking.com a week ago that happened to my parents. They received a phishing mail from their servers. (Verify credit card with a phishing link). Seems to be a new schema to compromise the mail infrastructure and to send "real Mails" Here is an extract of the mail my parents received: ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@booking.com header.s=bk header.b=qg05XoWJ; spf=pass (google.com: domain of noreply@mailer.booking.com designates 37.10.30.4 as permitted sender) smtp.mailfrom=noreply@mailer.booking.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=booking.com Return-Path: <noreply@mailer.booking.com> Received: from mailout-202-r3.booking.com (mailout-202-r3.booking.com. [37.10.30.4]) by mx.google.com with ESMTPS id m18-