Hi all,
Since Thursday/Friday last week we have been receiving thousands of emails directed to our internal users, groups and mailing lists. The recipients are not randomly generated, so either someone found or has purchased a list of our addresses or some disgruntled script kidie is playing games. The attacks certainly appear to be targeted from a botnet last week, as the emails were originating from not any single subnet.
Anyway, I have submitted these files to Sophos, Avira and ESET. The email has somewhat dictionary based email contents (bypass basic search blocks) to trick the user to open the attached .doc or .docx file. If the doc is opened and macro is given permission to run it downloads and exe and no doubt more annoying stuff happens. ESET blocks the exe, Sophos is blocking bad hosts based on RBL checks, but Sophos so far is not picking up this .doc file and quarantining it at SMTP time. I have now resorted to blocking based on MIME types until Sophos starts blocking them properly - which as you can imagine, a lot of business emails contain Word documents.
Email example:
Subject: BPay file 9Y473M844O9X
Body:
Transaction Total: 35000.37 USD
Transaction Number: IDEWNL0EAG5CN
Recent Status: Please view enclosed file.
Snapshot of word doc contents: Imgur: The most awesome images on the Internet
All references of BPay, Transaction, Status, file, DOC, MS Word and a whole bunch of others are interchangeable to try and circumvent detection. The file name and size are also different in every occurrence.
Has anyone found a decent method of blocking these?
This thread was automatically locked due to age.
