Researching information on a phishing attack that we are experiencing

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Researching information on a phishing attack that we are experiencing

L2 Linker

I thought I would reach out and see if the team at Palo Alto or the user community could shed some light on this one.  We are experiencing a phishing attack on random workstations (luckily only 5 at the moment) hyjacking Outlook to send out Document Download links to people in an address book.  We have not yet discovered the payload or how it is getting into the building, but in our research it appears to destroy itself upon completion but leaves behind many Outlook rules.  These look at typical responses such as "how do I open the document."  It will then send a response back to the end user stating to click on the link and enter your email credentials.  Users are falling for it thinking it is from the legit person.  We have written custom signatures to stop the HTML pages to harvest the credentials, but curious if others have seen this?  I have attached some screenshots of what is sent and users see.  Thanks in advance for any help!

 

1.png2.png3.JPG4.jpg

 

 

2 REPLIES 2

Cyber Elite
Cyber Elite

I've actually seen this a fair bit recently. If it gets in there isn't much that you can do, and we found that it was usually something that the user had recieved and ran from Outlook itself. Sadly once it's in its pretty ingenious as it actually sets things up as rules sends out one blast and deletes itself. The rules are created by the virus and are used to filter responses to attempt to make it harder to actually  identify quickly what is actually going on. 

 

I'd be interested in hearing if more people are seeing this as well. 

Some more information from my team shows that it does delete itself.  Running a scan with Kaspersky, BitDefender, Windows Defender, McAfee, and Malware Bytes show no trace.  The only evidence we have are rules lingering in Outlook that perform these auto responses.  The malware does not seem to trigger when clicking on the phishing links.  These only lauch the HTTP pages who's patterns we are blocking.  All I can think of at this time would be a EXE coming into email which we block or a malicious document.  What are others seeing?

  • 2657 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!