Everyone has heard of the 0-day bug in the apple mail app.
Can Sophos recognize and block the emails ? we have not been able to use the mail app for days
This thread was automatically locked due to age.
Hallo Andi,
If there's a particular MIME type, then that could be blocked, but I saw nothing in the two articles I read that gave any clues. Have you started a case with Sophos Support?
Cheers - Bob
The guy who found it explains quite in detail at https://blog.zecops.com/vulnerabilities/youve-got-0-click-mail/
Should not be too difficult to search for those strings in Mails before delivering....
# | Type of indicator | Purpose | IOC |
---|---|---|---|
1 | String in raw email | Part of the malicious email sent | AAAAAAAA AND AAAAATEy AND EA\r\nAABI AND "$\x0e\xce\xa0\xd4\xc7\xcb\x08" AND T8hlGOo9 AND OKl2N\r\nC (updated) |
3 | String in raw email | Part of the malicious email sent | 3r0TRZfh AND AAAAAAAAAAAAAAAA AND \x0041\x0041\x0041\x0041 (unicode AAAA) (updated) |
4 | String in raw email | Part of the malicious email sent | \n/s1Caa6 AND J1Ls9RWH |
5 | String in raw email | Part of the malicious email sent | ://44449 |
6 | String in raw email | Part of the malicious email sent | ://84371 |
7 | String in raw email | Part of the malicious email sent | ://87756 |
8 | String in raw email | Part of the malicious email sent | ://94654 |
We have to initiate support through our partner because we have no support contract for direct communication with Sophos.
I became concerned that there is no official statement from Sophos regarding the detection.
On April 23, the BSI as the Federal Cyber Security Authority warned of the use of the app and recommends:
Delete the "Mail" app or deactivate the synchronization.
Two weeks later we have neither a solution from Apple, nor any information from Sophos as to whether there is a detection.
It is funny.
You have to pay for a license to use Email-Security, but If you want to get any information about the thing you pay for, you need to pay again.....
I think Andi and me are not the only peoble having Astaro Sohpos and IPhones. Can somebody file a request ?
And for Sophos it would be good marketing if they coudl say: Our clients using Iphones are safe.
It is funny.
You have to pay for a license to use Email-Security, but If you want to get any information about the thing you pay for, you need to pay again.....
I think Andi and me are not the only peoble having Astaro Sohpos and IPhones. Can somebody file a request ?
And for Sophos it would be good marketing if they coudl say: Our clients using Iphones are safe.
Hi Jasmine,
we run also Sonicwall NSA firewall systems where we can contact the support directly. We have to use the Sophos support of the partner, who only forwards the request anyway, but then sends us an invoice for the service.
UTM Standard Support:
Is included with every Network, Web, Mail, Wireless or Web Application Security subscription
with a run time of 1, 3 or 5 years and offers a 24 hour bring in hardware replacement,
automatic software updates as well as technical 10*5 support via Sophos partners.
UTM Premium Support:
Can be purchased as an optional upgrade to the UTM Standard Support for 1, 3 or
5 years and offers a 24 hour up front hardware replacement, automatic software
updates as well as technical 24*7 support via Sophos support engineers.
Andreas