This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Researching information on a phishing attack that we are experiencing

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Researching information on a phishing attack that we are experiencing

NickThen
L2 Linker

‎03-08-2017 02:08 PM - edited ‎03-08-2017 02:09 PM

I thought I would reach out and see if the team at Palo Alto or the user community could shed some light on this one.  We are experiencing a phishing attack on random workstations (luckily only 5 at the moment) hyjacking Outlook to send out Document Download links to people in an address book.  We have not yet discovered the payload or how it is getting into the building, but in our research it appears to destroy itself upon completion but leaves behind many Outlook rules.  These look at typical responses such as "how do I open the document."  It will then send a response back to the end user stating to click on the link and enter your email credentials.  Users are falling for it thinking it is from the legit person.  We have written custom signatures to stop the HTML pages to harvest the credentials, but curious if others have seen this?  I have attached some screenshots of what is sent and users see.  Thanks in advance for any help!

 

1.png2.png3.JPG4.jpg

 

 

0 Likes Likes
2 REPLIES 2

BPry
Cyber Elite
Cyber Elite

‎03-08-2017 02:16 PM

I've actually seen this a fair bit recently. If it gets in there isn't much that you can do, and we found that it was usually something that the user had recieved and ran from Outlook itself. Sadly once it's in its pretty ingenious as it actually sets things up as rules sends out one blast and deletes itself. The rules are created by the virus and are used to filter responses to attempt to make it harder to actually  identify quickly what is actually going on. 

 

I'd be interested in hearing if more people are seeing this as well. 

0 Likes Likes

NickThen
L2 Linker
In response to BPry

‎03-09-2017 05:58 AM

Some more information from my team shows that it does delete itself.  Running a scan with Kaspersky, BitDefender, Windows Defender, McAfee, and Malware Bytes show no trace.  The only evidence we have are rules lingering in Outlook that perform these auto responses.  The malware does not seem to trigger when clicking on the phishing links.  These only lauch the HTTP pages who's patterns we are blocking.  All I can think of at this time would be a EXE coming into email which we block or a malicious document.  What are others seeing?

0 Likes Likes
  • 2609 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks