This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

AMSI/Reflect-KA Detection

Hello everyone,

We get the following alert

What happened: We could not clean up a threat.

Where it happened: computer name

Path: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

What was detected: AMSI/Reflect-KA

How severe it is: High

What Sophos has done so far: We attempted to clean up a threat.

It is for only for one users, used to be two. I cleaned the temp files for both users on their respective PCs, and it seems that fixed the issue for the first user, or maybe just a coincidence.

However this one user's account on this PC keep giving us this detection.

Seems to be triggered by two different things, but they all lead to powershell.

Please see the images, hope that helps.

Any idea about this. Much appreciated.



This thread was automatically locked due to age.
Parents
  • Hi Jones Malhotra,

    Thanks for reaching out to the Sophos Community Forum. 

    For one of these detections, it looks like a file "imf & bmf pre-filing practitioner relief fy2023.xls.lnk" file was accessed via outlook, triggering powershell.exe. I'd suggest inquiring with the end-user if they received any suspicious emails or clicked any potentially malicious links via Outlook. 

    If you haven't already, I'd suggest looking into Sophos Phish threat, as it seems a phishing attempt was made against one of your end-users. You can also start a trial for Phish Threat directly from Sophos Central to try it out for 30 at no cost. The trail can also be extended to 60 days. 

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
Reply
  • Hi Jones Malhotra,

    Thanks for reaching out to the Sophos Community Forum. 

    For one of these detections, it looks like a file "imf & bmf pre-filing practitioner relief fy2023.xls.lnk" file was accessed via outlook, triggering powershell.exe. I'd suggest inquiring with the end-user if they received any suspicious emails or clicked any potentially malicious links via Outlook. 

    If you haven't already, I'd suggest looking into Sophos Phish threat, as it seems a phishing attempt was made against one of your end-users. You can also start a trial for Phish Threat directly from Sophos Central to try it out for 30 at no cost. The trail can also be extended to 60 days. 

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
Children