Scan found malicious PDF in user profile; user never signed in to PC

Rhigel · ‎05-31-2022

Hello, I have a rather interesting issue that I am having trouble figuring out. AMP scans have returned 3 separate endpoints now with the same malicious phishing pdf that is seemingly located in someone's user profile. Normally this would be fine, because if AMP could not quarantine the file itself, I could go to the path it noted and manually delete the file. The peculiar thing is that the profile it is noting "C:\Users\USERNAME\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\Files\S0\3\Attachments\info-iuysdfes-987345[57].pdf" does not exist on any of the 3 PCs the scans have found the file on, and that specific user has never signed into the computers it is showing up on.

This "Ghost Profile" is a little bit confusing and worrying. I wanted to make a community post to see if anyone else using AMP had seen similar behavior to this before, and if so what did they do to fix it or resolve the alerts.

Thanks in advance for any help or suggestions that may be offered.

crockbot · ‎06-01-2022

I have seen detections in these locations. I believe these are cached copies of files from Outlook emails. I am not sure if it is cached from the office360 webapp or the Outlook desktop app. Hope that helps a little bit. Additionally, I would offer the following speculations:

Another user has shared access to the outlook account that received the email
The user did login to that computer but the login predates how far back you were looking, and the detection is a retrospective detection.

Thanks for posting this. I look forward to reading other replies.