cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
2101
Views
0
Helpful
3
Replies

phishing mails with HTML attachment

daro
Level 1
Level 1

Hi,

we received multiple mails with HTML attachments containing paypal or other  banking phishing attempts, please find attached the HTML file in question.

please let me know if the original mail is needed too.

Those mails probably should have been blocked at some other point of the pipeline, but still is there a way to manually block them?

as far is I know we have a legit business reason to send and receive HTML files (as attachment), so we would have to dig deeper into the HTML file, but then again that file would always be changed on the next phishing attempt.

any ideas?

thank you very much

best regards

Daniel

3 Replies 3

Robert Sherwin
Cisco Employee
Cisco Employee

Hello Daniel -

Message tracking, or the message/message headers would be helpful to fully understand the processing through your appliance.

We would be relying on the actual HTML file itself to be marked as Viral+ by AV or Malicious+ by AMP.  Looking at the HTML provided, it still would take end-user interaction in order submit the information.  AMP would not take that into consideration.

Do you have Virus Outbreak Filters also configured on the appliance?  Seeing the message tracking for this message as processed would be helpful.

The file provided (SHA 26db7d28f89c9f1868d81301419f0c2ceb479c6bb4eb8703170b3617d04c8d13).  Stepping through the form, and submitting via Sandbox - I can see that the site that this submits to goes to eavehiclerental.com --- and a 404 page = ptpt.php page.  

AMP does not score this malicious from Cisco side.  The top hit in Sandbox scanning is the outbound connection...

Outbound HTTP GET to a remote server was detected. This is not inherently suspicious but malware will often use Gets in order to check in to the Command and Control servers upon infection or to download or exfiltrate data. Please view the 'HTTP' section under 'Network Analysis' for the associated traffic/communications. Additionally, the provided network PCAP will provide more details on the traffic stream.

Virus Total does not as well:

https://virustotal.com/en/file/26db7d28f89c9f1868d81301419f0c2ceb479c6bb4eb8703170b3617d04c8d13/analysis/

-Robert

<deleted>

Farhan Mohamed
Cisco Employee
Cisco Employee

Hello Daniel -

Message tracking, or the message/message headers would be helpful to fully understand the processing through your appliance.

We would be relying on the actual HTML file itself to be marked as Viral+ by AV or Malicious+ by AMP.  Looking at the HTML provided, it still would take end-user interaction in order submit the information.  AMP would not take that into consideration.

Do you have Virus Outbreak Filters also configured on the appliance?  Seeing the message tracking for this message as processed would be helpful.

The file provided (SHA 26db7d28f89c9f1868d81301419f0c2ceb479c6bb4eb8703170b3617d04c8d13).  Stepping through the form, and submitting via Sandbox - I can see that the site that this submits to goes to eavehiclerental.com --- and a 404 page = ptpt.php page.  

AMP does not score this malicious from Cisco side.  The top hit in Sandbox scanning is the outbound connection...

Outbound HTTP GET to a remote server was detected. This is not inherently suspicious but malware will often use Gets in order to check in to the Command and Control servers upon infection or to download or exfiltrate data. Please view the 'HTTP' section under 'Network Analysis' for the associated traffic/communications. Additionally, the provided network PCAP will provide more details on the traffic stream.

Virus Total does not as well:

https://virustotal.com/en/file/26db7d28f89c9f1868d81301419f0c2ceb479c6bb4eb8703170b3617d04c8d13/analysis/