[How to deal with display name spoofing, when contains right mailadress also in reply, but "name@abc.com" is different]

On 10/26/2020 at 9:53 AM, Marcos said:

In order to take a specific action on macro-enabled Office documents, please refer to https://help.eset.com/emsx/7.0/en-US/idh_config_mailserver_rules.html:

I would strongly recommend trying out ESET Dynamic Threat Defense for instant protection from new email threats.

Yes, we have this enabled, but more important that a file going undetected is the fact that spoofers can bypass all filters. From my original message:

"What if the spammer/spoofer uses a different email every day? We can't simply add manually rules everyday, or add all the domains we interact with to different rules."

Regards

 

[How to deal with display name spoofing, when contains right mailadress also in reply, but "name@abc.com" is different]

On 10/21/2020 at 3:00 PM, Marcos said:

Please provide us with more information about the malware that goes undetected through ESET. Is it executables? Office documents? HTML files or some other kind of files? Have you considered trying out ESET Dynamic Threat Defense for automated replication of received files in ESET's cloud sandbox?

As for the other queries, I'll leave them to @filipsor @M.K. to respond.

It's an xls file, containing a macro. It seems to be detected now (trojandownloader something).

@filips@M.K. I would really appreciate any help here

[How to deal with display name spoofing, when contains right mailadress also in reply, but "name@abc.com" is different]

 

On 9/25/2020 at 10:14 AM, filips said:

Hi raimund,

Attachment type rules are evaluated on all files in archives - zipped document with macro will be caught by the rule (unless it's password protected).

Rules support only comparing of static strings so it is not possible to compare From: and Return-Path: headers. Not a perfect solution, but something like this should do the job:

From Header - display name contains one of [@customer1.com, @customer2.com]
Message headers do not match regular expression "\nReply-To: .*(@customer1.com|customer2.com)"

Excuse me, but that's not very useful. What if the spammer/spoofer uses a different email every day? We can't simply add manually rules everyday, or add all the domains we interact with to different rules.

I've exactly the same problem as raimund. Malicious attachments undetected by ESET and many other vendors (they get detected after few days), with the from address spoofed (reply-to is another address, similar to the spoofed one).

Isn't there anything else that can be done? I've already configured rules to quarantine all emails with macros-enabled attachments, but I got one today that contains a malicious Excel in xls format, not xlsm. It's not possible to simply quarantine all emails that include a xls file