Endpoint Protection

 View Only

  • 1.  Malicious emails with link to infected word documents

    Posted May 04, 2017 02:28 AM

    Hi there,

    i just try to find out how this is possible without finding any virus on any device.

    Lately we or our customers are getting emails that look like they are sent from the customer to us or from us to them.

    2017-05-04_08h20_49.png

    The interesting thing is. The two persons are ALWAYS connected. They know each other. But the email address is wrong,

    It looks for me that the GAL or maybe XING was compromised.

    Some user trust the email sender name (not email address) and open the word document. Symantec caught some of them (but not all).

    Anyone else experiencing this? 

    Best regards

    Stephan



  • 2.  RE: Malicious emails with link to infected word documents

    Posted May 04, 2017 03:01 AM

    Submit the URL to Symantec for analysis -

    https://submit.symantec.com/websubmit/bcs.cgi



  • 3.  RE: Malicious emails with link to infected word documents

    Posted May 04, 2017 03:10 AM

    I know that it is a virus. I just want to know how they did get the mail addresses and more important the link between them.

    Because there is no "detectable" virus on the clients.



  • 4.  RE: Malicious emails with link to infected word documents

    Posted May 04, 2017 03:20 AM

    what symantec product is installed in your organization?

    Also, its good to involve support on this bcz. even though the security is available in your company, internal info. is getting exposed to attackers.



  • 5.  RE: Malicious emails with link to infected word documents

    Posted May 04, 2017 05:57 AM
    The email addresses are spoofed. Any address can be spoofed. Most likely one of the accounts was hacked or a contact. Do you have email protection at your gateway?


  • 6.  RE: Malicious emails with link to infected word documents

    Posted May 04, 2017 06:09 AM

    Hi Steppe,

    (SEP is not the best tool for fighting mail-borne threats--- a dedicated mail security product and end user education are crucial!)

    Identity theft does not just happen to individuals.  If someone compromised one of your business's endpoints at some stage and copied out the email contact lists, or if someone intercepted traffic to or from your company to see what was considered "normal," it would be very easy for them to create convincing phishing lures like the one you describe.

    This article has some information, though not specifically about malicious links:

    Support Perspective: W97M.Downloader Battle Plan
    https://www-secure.symantec.com/connect/articles/support-perspective-w97mdownloader-battle-plan

    There are many ways to verify senders.... digitally signing mail, using SPF and similar, etc.  They're all a bit off topic for the SEP forum, though. 

    Hope this helps!