AMSI/Reflect-KA Detection

Hi Jones Malhotra,

Thanks for reaching out to the Sophos Community Forum. 

For one of these detections, it looks like a file "imf & bmf pre-filing practitioner relief fy2023.xls.lnk" file was accessed via outlook, triggering powershell.exe. I'd suggest inquiring with the end-user if they received any suspicious emails or clicked any potentially malicious links via Outlook. 

If you haven't already, I'd suggest looking into Sophos Phish threat, as it seems a phishing attempt was made against one of your end-users. You can also start a trial for Phish Threat directly from Sophos Central to try it out for 30 at no cost. The trail can also be extended to 60 days. 

Hi Jones Malhotra,

Thanks for reaching out to the Sophos Community Forum. 

For one of these detections, it looks like a file "imf & bmf pre-filing practitioner relief fy2023.xls.lnk" file was accessed via outlook, triggering powershell.exe. I'd suggest inquiring with the end-user if they received any suspicious emails or clicked any potentially malicious links via Outlook. 

If you haven't already, I'd suggest looking into Sophos Phish threat, as it seems a phishing attempt was made against one of your end-users. You can also start a trial for Phish Threat directly from Sophos Central to try it out for 30 at no cost. The trail can also be extended to 60 days. 

Hi Kushal,

That is one of the triggers though?

Do you know what Reflect-KA is?

Thanks

Yes, a malicious link or attachment via email seems to be where this detection originated. 

The Reflect-KA detection will trigger when obfuscated powershell code attempts to download a specific malicious payload.

I'm curious why HMPA didn't trigger Lockdown.The program has clearly performed beyond its original purpose, executing ps1