ā01-17-2017 05:09 AM
Hi,
we received multiple mails with HTML attachments containing paypal or other banking phishing attempts, please find attached the HTML file in question.
please let me know if the original mail is needed too.
Those mails probably should have been blocked at some other point of the pipeline, but still is there a way to manually block them?
as far is I know we have a legit business reason to send and receive HTML files (as attachment), so we would have to dig deeper into the HTML file, but then again that file would always be changed on the next phishing attempt.
any ideas?
thank you very much
best regards
Daniel
ā01-17-2017 05:42 PM
Hello Daniel -
Message tracking, or the message/message headers would be helpful to fully understand the processing through your appliance.
We would be relying on the actual HTML file itself to be marked as Viral+ by AV or Malicious+ by AMP. Looking at the HTML provided, it still would take end-user interaction in order submit the information. AMP would not take that into consideration.
Do you have Virus Outbreak Filters also configured on the appliance? Seeing the message tracking for this message as processed would be helpful.
The file provided (SHA 26db7d28f89c9f1868d81301419f0c2ceb479c6bb4eb8703170b3617d04c8d13). Stepping through the form, and submitting via Sandbox - I can see that the site that this submits to goes to eavehiclerental.com --- and a 404 page = ptpt.php page.
AMP does not score this malicious from Cisco side. The top hit in Sandbox scanning is the outbound connection...
Outbound HTTP GET to a remote server was detected. This is not inherently suspicious but malware will often use Gets in order to check in to the Command and Control servers upon infection or to download or exfiltrate data. Please view the 'HTTP' section under 'Network Analysis' for the associated traffic/communications. Additionally, the provided network PCAP will provide more details on the traffic stream.
Virus Total does not as well:
-Robert
ā03-02-2017 09:03 AM
<deleted>
ā01-27-2017 02:31 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide
Hello Daniel -
Message tracking, or the message/message headers would be helpful to fully understand the processing through your appliance.
We would be relying on the actual HTML file itself to be marked as Viral+ by AV or Malicious+ by AMP. Looking at the HTML provided, it still would take end-user interaction in order submit the information. AMP would not take that into consideration.
Do you have Virus Outbreak Filters also configured on the appliance? Seeing the message tracking for this message as processed would be helpful.
The file provided (SHA 26db7d28f89c9f1868d81301419f0c2ceb479c6bb4eb8703170b3617d04c8d13). Stepping through the form, and submitting via Sandbox - I can see that the site that this submits to goes to eavehiclerental.com --- and a 404 page = ptpt.php page.
AMP does not score this malicious from Cisco side. The top hit in Sandbox scanning is the outbound connection...
Outbound HTTP GET to a remote server was detected. This is not inherently suspicious but malware will often use Gets in order to check in to the Command and Control servers upon infection or to download or exfiltrate data. Please view the 'HTTP' section under 'Network Analysis' for the associated traffic/communications. Additionally, the provided network PCAP will provide more details on the traffic stream.
Virus Total does not as well:
https://virustotal.com/en/file/26db7d28f89c9f1868d81301419f0c2ceb479c6bb4eb8703170b3617d04c8d13/analysis/