Recently some customers have received emails with Microsoft Office attachments (often compressed) that have macros inside. These macros work as a file dropper/downloader and access the internet to download a malware payload. The URL's accessed by these attachments change on a regular basis and will automatically switch to a new one if the existing one is blocked.
Example file names seen:
The type of detection's you may have seen for this are Troj/DocDl and CXmail/OleDl.
The following sections are covered:
Applies to the following Sophos products and versions Central Windows EndpointCentral Mac EndpointSophos Endpoint Security and ControlPureMessage for Microsoft ExchangeSophos Email Appliance
Sophos Email products provide a broad and effective model for detecting this type of malware delivery that leverages an email attachment with macros to create additional files on the device. If you are already using the following products you will see these emails blocked as CXmail/OleDl.
The aggressive stance taken by Sophos Email products against this type of threat can result in some legitimate files being detected as a result. To resolve this issue the Word or Excel documents should be compressed (zipped) with a password when sending over email.
For customers using Sophos Endpoint security products, follow the Recommended settings for Anti-Virus and HIPS and Ransomware: Information and prevention.
You may also look at disabling the automatic execution of macros for Microsoft documents, you can do this by changing the default Trust Center settings. For more information please see: Enable or disable macros in Office documents
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.