AMSI/Reflect-KA Detection

Question

Hello everyone, 
 
 We get the following alert 
 
 What happened: We could not clean up a threat. 
 Where it happened: computer name 
 Path: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 
 What was detected: AMSI/Reflect-KA 
 How severe it is: High 
 What Sophos has done so far: We attempted to clean up a threat. 
 It is for only for one users, used to be two. I cleaned the temp files for both users on their respective PCs, and it seems that fixed the issue for the first user, or maybe just a coincidence. 
 However this one user's account on this PC keep giving us this detection. 
 Seems to be triggered by two different things, but they all lead to powershell. 
 Please see the images, hope that helps. 
 Any idea about this. Much appreciated.

Qoosh · Answer

Hi Jones Malhotra , 
 Thanks for reaching out to the Sophos Community Forum. 
 For one of these detections, it looks like a file "imf & bmf pre-filing practitioner relief fy2023.xls.lnk" file was accessed via outlook, triggering powershell.exe. I'd suggest inquiring with the end-user if they received any suspicious emails or clicked any potentially malicious links via Outlook. 
 If you haven't already, I'd suggest looking into Sophos Phish threat, as it seems a phishing attempt was made against one of your end-users. You can also start a trial for Phish Threat directly from Sophos Central to try it out for 30 at no cost. The trail can also be extended to 60 days.