Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2345
Views
2
Helpful
13
Replies

Scam emails using images?

Go to solution
Dustin Anderson
VIP Alumni
VIP Alumni

‎07-17-2023 11:23 AM

I've started seeing some scam emails coming in, but they are just from a random gmail account with an image of a fake bill with a scam 800 number to call. same junk we have all seen, but does anyone know a way to block them? I can't block gmail as we have customers and I don't think the ESAs can OCR scan an image to trigger. They change the filename, so file hash isn't useable.

2 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Ken Stieers
VIP
VIP

‎07-17-2023 12:20 PM

You're correct, the ESA can't OCR the picture.
I think our option is going to be sending mail to ETD and getting a verdict from those cloud based engines. That option is coming in the 15.x code sometime, but I haven't seen a definitive roadmap as to when that might be available.

View solution in original post

13 Replies 13

Go to solution
Ken Stieers
VIP
VIP

‎07-17-2023 12:20 PM

You're correct, the ESA can't OCR the picture.
I think our option is going to be sending mail to ETD and getting a verdict from those cloud based engines. That option is coming in the 15.x code sometime, but I haven't seen a definitive roadmap as to when that might be available.

Go to solution
Dustin Anderson
VIP Alumni
VIP Alumni
In response to Ken Stieers

‎07-17-2023 01:39 PM

The never ending cat and mouse of email. They are tagging the email body with a # code, so seeing if a filter of from @gmail.com and body contains #[a-z]  send to a quarantine. Testing with just a copy to see what it gets wrong.

Go to solution
PeterEriksson8954
Level 1
Level 1

‎07-17-2023 01:52 PM

Seeing the same happening here today, i.e. multiple gmail.com senders with similar subject lines (made to be tracked by the senders) and similar attachments (all jpgs so far), but with different names... and they all came in with sizes above the max scan limits set for certain filters... so I've upped that here to see if anything gets caught. Worth a try at least

0 Helpful

Go to solution
Dustin Anderson
VIP Alumni
VIP Alumni
In response to PeterEriksson8954

‎07-17-2023 02:09 PM

yeah, I saw the images are 3MB, but we manually scanned and nothing triggered as it's not technically malicious.

I'm testing a filter of from @gmail.com and body contains ^#[a-z]

we'll see if I get more tonight.

0 Helpful

Go to solution
PeterEriksson8954
Level 1
Level 1

‎07-17-2023 02:22 PM

Thanks Dustin... and yeah, you're correct, it's basically a "Geek Squad invoice" with a number to call... so if OCR can't catch that, not much will I suspect... except a filter nailing the details you are trying with without causing too many false positives

Looking forward to hearing about the results...

0 Helpful

Go to solution
Dustin Anderson
VIP Alumni
VIP Alumni
In response to PeterEriksson8954

‎07-18-2023 07:00 AM

I had to change the filter to ^#[a-z] as it was triggering on HTML format emails for color codes. the ^ means beginning of line and I've had no false positives, but none of those emails yet. and it only works if they keep adding the # code into the body.

0 Helpful

Go to solution
PeterEriksson8954
Level 1
Level 1

‎07-18-2023 09:04 AM

I've seen three similar emails so far today and they all got caught by the filter... "... scanned by Anti-Spam engine: CASE. Final verdict: Positive"... so maybe upping the max scan limit for Outbreak and Ironport Anti-Spam did it... or Cisco had the included jpg hash flagged already? Either case, it's good!

0 Helpful

Go to solution
Ken Stieers
VIP
VIP
In response to PeterEriksson8954

‎07-18-2023 09:25 AM

And that enough people reported it... so the CASE engine got updated.
So now everyone is protected...
0 Helpful

Go to solution
PeterEriksson8954
Level 1
Level 1

‎07-18-2023 09:33 AM

I'm OK with that!
Would be nice though to get that 1 MB size limit upped for the reporting add-in... to make it easier for non-IT users to report larger emails... along with a way to centrally enable some form of feedback from the Talos portal to those users without them having to register with Cisco (can't see people on the shopfloor do that for example... or even office workers) so they feel that something happens with what's being reported.

0 Helpful

Go to solution
Dustin Anderson
VIP Alumni
VIP Alumni

‎07-18-2023 11:19 AM

We'll have to see, I got 2 today. One was 1Mb and 1 was 822K, so under the scan limit and got through.

0 Helpful

Go to solution
PeterEriksson8954
Level 1
Level 1

‎07-19-2023 09:53 AM

Saw one yesterday slip through, this time with a different subject line (but including # followed by tracking number) and attached picture was of a "Paypal invoice" instead of the earlier "Geek Squad invoice". Just over 1 MB in size and it was reported to Talos by the end user here. There was a second email from same sender and with same subject line only ONE second after the first email, it was dropped by Anti-Spam.

0 Helpful

Go to solution
Dustin Anderson
VIP Alumni
VIP Alumni

‎07-19-2023 10:13 AM

I've had 15 so far today, I set up a quarantine and a rule of from gmail, jpeg attachment and # in the body. Got some false positives, so I do have to watch queues, but I've had 3 false in a day and we have around 140K/day emails incoming.

0 Helpful

Go to solution
Mike Sanders
Level 1
Level 1

‎07-24-2023 12:46 PM

has anyone found a solution to block these in an effective way with no false positives please? Thank you.

0 Helpful
Customers Also Viewed These Support Documents