This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Emotet / Macro Trojan not scanned by Sandstorm

Hello folks,

i noticed that the Emotet or Macro Trojan Invoice doc attachments were not scanned / flagged by Sophos Sandstorm at several customers.

Some files were scanned and blocked by Sophos Endpoint but some others not and the customers clicked on the DOC Files...

When i scanned the files with https://www.virustotal.com for example, several Antivirus Providers already flagged the file as Emotet or Macro Trojan.

1. Question: Why are these obvious files not detected

2. Question: Why does Sophos Sandstorm not detect the file as virus/trojan but Sophos Endpoint can?

 

 

Sophos Sandstorm is working i already debuged sandbox. Here is a Logfile from SMTP-Proxy (i removed our E-Mail address):

 

 

2018:11:19-21:01:19 utm exim-in[5982]: 2018-11-19 21:01:19 SMTP connection from [202.248.236.202]:43732 (TCP/IP connection count = 1)
2018:11:19-21:01:22 utm exim-in[32723]: 2018-11-19 21:01:22 [202.248.236.202] F=<kozo-ikeda@midori-grp.com> R=<recipient@deletedaddress.xy> Verifying recipient address with callout
2018:11:19-21:01:25 utm exim-in[32723]: 2018-11-19 21:01:25 1gOpjY-0008Vn-01 ctasd reports 'Unknown' RefID:str=0001.0A0B0213.5BF31695.005C:SCFSTAT41993656,ss=1,re=-4.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0
2018:11:19-21:01:25 utm exim-in[32723]: 2018-11-19 21:01:25 1gOpjY-0008Vn-01 Greylisting: Greylisted 202.248.236.202
2018:11:19-21:01:25 utm exim-in[32723]: [1\33] 2018-11-19 21:01:25 1gOpjY-0008Vn-01 H=mx1.mail-filter.nifty.com (mail-filter.nifty.com) [202.248.236.202]:43732 F=<kozo-ikeda@midori-grp.com> temporarily rejected after DATA: Temporary local problem, please try again!
2018:11:19-21:01:25 utm exim-in[32723]: [2\33] Envelope-from: <kozo-ikeda@midori-grp.com>
2018:11:19-21:01:25 utm exim-in[32723]: [3\33] Envelope-to: <recipient@deletedaddress.xy>
2018:11:19-21:01:25 utm exim-in[32723]: [4\33] P Received: from mx1.mail-filter.nifty.com ([202.248.236.202]:43732 helo=mail-filter.nifty.com)
2018:11:19-21:01:25 utm exim-in[32723]: [5\33] by mail.deletedaddress.xy with esmtps (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256)
2018:11:19-21:01:25 utm exim-in[32723]: [6\33] (Exim 4.82_1-5b7a7c0-XX)
2018:11:19-21:01:25 utm exim-in[32723]: [7\33] (envelope-from <kozo-ikeda@midori-grp.com>)
2018:11:19-21:01:25 utm exim-in[32723]: [8\33] id 1gOpjY-0008Vn-01
2018:11:19-21:01:25 utm exim-in[32723]: [9\33] for recipient@deletedaddress.xy; Mon, 19 Nov 2018 21:01:25 +0100
2018:11:19-21:01:25 utm exim-in[32723]: [10\33] P Received: from mgsvssnd007.mail-filter.nifty.com ([172.22.154.148])
2018:11:19-21:01:25 utm exim-in[32723]: [11\33] by mail-filter.nifty.com (8.14.4/8.14.4) with ESMTP id wAJK1Ixe019587
2018:11:19-21:01:25 utm exim-in[32723]: [12\33] for <recipient@deletedaddress.xy>; Tue, 20 Nov 2018 05:01:18 +0900
2018:11:19-21:01:25 utm exim-in[32723]: [13\33] P Received: from archived001t1a001.syncdot.com (archived001t1a001.syncdot.com [54.238.207.248])
2018:11:19-21:01:25 utm exim-in[32723]: [14\33] by mgsvssnd007.mail-filter.nifty.com (8.14.4/8.14.4) with ESMTP id wAJK1IFI007059
2018:11:19-21:01:25 utm exim-in[32723]: [15\33] for <recipient@deletedaddress.xy>; Tue, 20 Nov 2018 05:01:18 +0900
2018:11:19-21:01:25 utm exim-in[32723]: [16\33] P Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
2018:11:19-21:01:25 utm exim-in[32723]: [17\33] by archived001t1a001.syncdot.com (Postfix) with ESMTP id 808DE61996
2018:11:19-21:01:25 utm exim-in[32723]: [18\33] for <recipient@deletedaddress.xy>; Tue, 20 Nov 2018 05:01:18 +0900 (JST)
2018:11:19-21:01:25 utm exim-in[32723]: [19\33] P Received: from webmail001t1c001.syncdot.com (webmail001t1c001.syncdot.com [54.238.150.68])
2018:11:19-21:01:25 utm exim-in[32723]: [20\33] by archived001t1a001.syncdot.com (Postfix) with ESMTP id 6CE41603BD
2018:11:19-21:01:25 utm exim-in[32723]: [21\33] for <recipient@deletedaddress.xy>; Tue, 20 Nov 2018 05:01:18 +0900 (JST)
2018:11:19-21:01:25 utm exim-in[32723]: [22\33] P Received: from 10.15.51.124 (cable201-233-206-4.epm.net.co [201.233.206.4])
2018:11:19-21:01:25 utm exim-in[32723]: [23\33] by webmail001t1c001.syncdot.com (Postfix) with ESMTPA id 6DF4E21364
2018:11:19-21:01:25 utm exim-in[32723]: [24\33] for <recipient@deletedaddress.xy>; Tue, 20 Nov 2018 05:01:17 +0900 (JST)
2018:11:19-21:01:25 utm exim-in[32723]: [25\33] X-CTCH-RefID: str=0001.0A0B0213.5BF31695.005C:SCFSTAT41993656,ss=1,re=-4.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0
2018:11:19-21:01:25 utm exim-in[32723]: [26\33] Date: Mon, 19 Nov 2018 15:01:17 -0500
2018:11:19-21:01:25 utm exim-in[32723]: [27\33] F From: "Andreea Dumitru <andreea.dumitru@armbruster-fenster.de>" <kozo-ikeda@midori-grp.com>
2018:11:19-21:01:25 utm exim-in[32723]: [28\33] T To: recipient@deletedaddress.xy
2018:11:19-21:01:25 utm exim-in[32723]: [29\33] I Message-ID: <2635516336448417123.682F94A3FC4776A2@deletedaddress.xy>
2018:11:19-21:01:25 utm exim-in[32723]: [30\33] Subject: Payment
2018:11:19-21:01:25 utm exim-in[32723]: [31\33] MIME-Version: 1.0
2018:11:19-21:01:25 utm exim-in[32723]: [32\33] Content-Type: multipart/mixed; boundary="----=_Part_4191_2483147763.10088720964289328749"
2018:11:19-21:01:25 utm exim-in[32723]: [33/33] X-TM-AS-MML: disable
2018:11:19-21:01:31 utm exim-in[5982]: 2018-11-19 21:01:31 SMTP connection from [82.165.159.8]:33977 (TCP/IP connection count = 2)
2018:11:19-21:01:32 utm exim-in[32723]: 2018-11-19 21:01:32 SMTP connection from mx1.mail-filter.nifty.com (mail-filter.nifty.com) [202.248.236.202]:43732 closed by QUIT
2018:11:19-21:01:32 utm exim-in[304]: 2018-11-19 21:01:32 [82.165.159.8] F=<SRS0=ouAW=N6=midori-grp.com=kozo-ikeda@srs2.kundenserver.de> R=<recipient@deletedaddress.xy> Verifying recipient address with callout
2018:11:19-21:01:32 utm exim-in[304]: 2018-11-19 21:01:32 1gOpjg-00004u-2J ctasd reports 'Unknown' RefID:str=0001.0A0B0209.5BF3169C.0084,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0
2018:11:19-21:01:32 utm exim-in[304]: 2018-11-19 21:01:32 1gOpjg-00004u-2J Greylisting: 82.165.159.8 is a known retry host
2018:11:19-21:01:32 utm exim-in[304]: 2018-11-19 21:01:32 1gOpjg-00004u-2J <= SRS0=ouAW=N6=midori-grp.com=kozo-ikeda@srs2.kundenserver.de H=mout-xforward.kundenserver.de [82.165.159.8]:33977 P=esmtps X=TLSv1.2:DHE-RSA-AES128-GCM-SHA256:128 S=121596 id=2635516336448417123.682F94A3FC4776A2@erhardt-buerowelt.de
2018:11:19-21:01:32 utm exim-in[304]: 2018-11-19 21:01:32 SMTP connection from mout-xforward.kundenserver.de [82.165.159.8]:33977 closed by QUIT
2018:11:19-21:01:34 utm smtpd[5933]: QMGR[5933]: 1gOpjg-00004u-2J moved to work queue
2018:11:19-21:01:34 utm smtpd[32550]: SCANNER[32550]: 1gOpji-0008T0-7j <= kozo-ikeda@midori-grp.com R=1gOpjg-00004u-2J P=INPUT S=118075
2018:11:19-21:01:34 utm smtpd[32550]: SCANNER[32550]: id="1000" severity="info" sys="SecureMail" sub="smtp" name="email passed" srcip="82.165.159.8" from="kozo-ikeda@midori-grp.com" to="recipient@deletedaddress.xy" subject="Payment" queueid="1gOpji-0008T0-7j" size="118075"
2018:11:19-21:01:34 utm smtpd[32550]: SCANNER[32550]: 1gOpjg-00004u-2J => work R=SCANNER T=SCANNER
2018:11:19-21:01:34 utm smtpd[32550]: SCANNER[32550]: 1gOpjg-00004u-2J Completed
2018:11:19-21:01:34 utm exim-out[319]: 2018-11-19 21:01:34 1gOpji-0008T0-7j => recipient@deletedaddress.xy P=<kozo-ikeda@midori-grp.com> R=static_route_hostlist T=static_smtp H=172.xx.1.190 [172.xx.1.190]:25 X=TLSv1.2:ECDHE-RSA-AES256-SHA384:256 C="250 2.6.0 <2635516336448417123.682F94A3FC4776A2@erhardt-buerowelt.de> [InternalId=1036851] Queued ma"
2018:11:19-21:01:34 utm exim-out[319]: 2018-11-19 21:01:34 1gOpji-0008T0-7j Completed


This thread was automatically locked due to age.
Parents
  • Hi wiLLow,

    We would definitely be interested to know more about this and ensure a satisfactory response. For this, we'll need to know exactly what we missed. The best and the quickest way here would be to raise a Support Case with us. 

    Once you have the Case ID, please Submit a Sample of the malicious DOC file using the case reference number. 

    Submit a copy of the SPAM email to is-spam@sophos.com 

    Once you have the Case ID - Please DM me.

    Thanks,

    Vikas

Reply
  • Hi wiLLow,

    We would definitely be interested to know more about this and ensure a satisfactory response. For this, we'll need to know exactly what we missed. The best and the quickest way here would be to raise a Support Case with us. 

    Once you have the Case ID, please Submit a Sample of the malicious DOC file using the case reference number. 

    Submit a copy of the SPAM email to is-spam@sophos.com 

    Once you have the Case ID - Please DM me.

    Thanks,

    Vikas

Children
No Data