Jump to content

Recommended Posts

Hi

I keep getting the following pop up notice from Eset Internet security telling me a that a fraud threat has been found which Outlook was trying to access. The pop up says that that the threat has now been cleaned, however the pop up keeps opening every 10-15 seconds. How can I stop this popup ? has the fraud file been cleaned ? and deleted ? why does this still popup ?

(HTML/Fraud.EK) from melinda......@yahoo.com

How can I get rid of this and the popup, I already put this address in my blocked senders list but it keeps poppin up.

Many thanks

Connie

 

Link to post
Share on other sites
18 minutes ago, Connie said:

Hi

I keep getting the following pop up notice from Eset Internet security telling me a that a fraud threat has been found which Outlook was trying to access. The pop up says that that the threat has now been cleaned, however the pop up keeps opening every 10-15 seconds. How can I stop this popup ? has the fraud file been cleaned ? and deleted ? why does this still popup ?

(HTML/Fraud.EK) from melinda......@yahoo.com

How can I get rid of this and the popup, I already put this address in my blocked senders list but it keeps poppin up.

Many thanks

Connie

 

Hi I found the logs, how do I send them. I cant copy and paste them ? 

Link to post
Share on other sites

Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here
03/04/2020 19:28:55;Email filter - Outlook;email message;from: jimXXXXXXX@gmail.com to: undisclosed-recipients: with subject Raphael ;HTML/Fraud.CX trojan;contained infected files;LAPTOP-3TJ605RA\User;Event occurred upon receiving an email by the application: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE.;;

 

virlog.rar

Edited by Marcos
Log moved to a file to save space
Link to post
Share on other sites

F-Secure has a good description of this here:

Quote

Technical Details

Other:HTML/Fraud detects fraudulent email messages and website HTML.Detections are typically the result of a mismatch in HREF tags used by hyperlinks. The fraudulent message or site is attempting to disguise or obfuscate the hyperlink. Disguised links are used by phishers attempting to lure victims to fraudulent sites in order to steal personal account details.

https://www.f-secure.com/v-descs/other_html_fraud.shtml

My best guess is the sender's e-mail address is spoofed. This is why blocking, melindacz5252@yahoo.com, is not working. You will have to examine in detail the incoming e-mail headers for the actual e-mail address being used.

Also based on your posted Eset log if you are using a third party e-mail provider, I would start looking for another one. Third party e-mail providers are supposed to be scanning all incoming e-mails at their servers prior to forwarding them to the recipient.

Edited by itman
Link to post
Share on other sites

It also appears $$$Microsoft has built-in spoofing identification into Outlook, but only for the Enterprise versions: https://support.microsoft.com/en-us/office/identify-suspicious-messages-in-outlook-com-and-outlook-on-the-web-3d44102b-6ce3-4f7c-a359-b623bec82206?ui=en-us&rs=en-us&ad=us

Edited by itman
Link to post
Share on other sites
  • Administrators

It looks like the same email is received via IMAP again and again. What email provider do you use? Is it a company that you work for or a public email provider?

Link to post
Share on other sites

Hello

many thanks for your replies. I am afraid I am not very technical when it comes to computers. I have sent the logs to

 samples@eset.com

So lets see what they say

 

Again many thanks it is appreciated.

Link to post
Share on other sites
27 minutes ago, Marcos said:

It looks like the same email is received via IMAP again and again.

Or, the e-mail is not being deleted and the same e-mail is being detected over and over again. The original log posting has been deleted from this thread, but what was shown there leads me to assume this.

@Connie, refer to the below screen shot and set "Action" to Delete and see if this stops these constant Eset alerts:

Eset_Email.thumb.png.7a05cc269eef9ba89856c44ac0598586.png

Edited by itman
Link to post
Share on other sites

Hi itman, I will try this and let you know if it works, i have never had this happen previously. 

 

Lets see, again I am most obliged to you for your help.

 

Connie.

Link to post
Share on other sites
  • Administrators
4 hours ago, Connie said:

many thanks for your replies. I am afraid I am not very technical when it comes to computers. I have sent the logs to

 samples@eset.com

This is not necessary since the threat was detected. At samples@eset.com we do not provide support for other than detection issues and this one is of a technical nature. Would it be possible to get a test account on the mail server that you get your email from?

Link to post
Share on other sites
On 6/17/2020 at 10:37 AM, Connie said:

Appears the AV scanning of e-mail to their servers is an "add-on" feature: https://www.register365.com/email-hosting/features/anti-virus . If not used, this would explain how all this garbage e-mail is arriving on the local device. Also a factor is what security product is being used. AOL e-mail for example, uses Symantec Endpoint.

Of note is free e-mail providers such as AOL, Google, etc. scan all incoming e-mail when it arrives on their servers and prior to forwarding it to the e-mail recepient.

Edited by itman
Link to post
Share on other sites
  • 1 month later...
  • Administrators

Please carry on as follows:
- enable advanced logging under Help and support -> Details for technical support
- reproduce the issue
- disable logging
- collect logs with ESET Log Collector and upload the generated archive here.

Link to post
Share on other sites
On 7/24/2020 at 9:39 PM, SylyntKnyght said:

Has anyone solved this issue?  These are occurring every 10 mins or so...

I have to close my Outlook client to stop this this threat detection alert from occurring every minute. I even selected "delete emails" under Advanced Setup as posted by ITMAN on June 17.

Link to post
Share on other sites
  • Administrators
6 hours ago, Eddie said:

I have to close my Outlook client to stop this this threat detection alert from occurring every minute. I even selected "delete emails" under Advanced Setup as posted by ITMAN on June 17.

Please read the instructions for collecting logs above and upload an archive generated by ESET Log Collector here.

Link to post
Share on other sites
  • ESET Support
On 7/31/2020 at 11:39 PM, Eddie said:

I have to close my Outlook client to stop this this threat detection alert from occurring every minute. I even selected "delete emails" under Advanced Setup as posted by ITMAN on June 17.

We had similar cases where emails were repeatedly detected every few minutes. Please try to log in to your email via the web interface, search for the detected email and delete it manually.

Link to post
Share on other sites

Hi there. I'm having the same problem. The email was deleted from 'Detected Items' and from 'Trash' and the pop-up keeps showing. The user have many email accounts configured on Outlook so i'm not sure which one had the infected email.

Any help please?

Thank you in advance. :)


Here are the logs:

 

Quote

</RECORD>
    <RECORD>
      <COLUMN NAME="Time">04/08/2020 12:45:31</COLUMN>
      <COLUMN NAME="Scanner">IMAP filter</COLUMN>
      <COLUMN NAME="Object type">email message</COLUMN>
      <COLUMN NAME="Object">from: Lilian Christophe &lt;lilianchrstph@gmail.com&gt; with subject Hello Dear Are you available? dated Mon, 3 Aug 2020 12:32:31 +0000 (UTC) </COLUMN>
      <COLUMN NAME="Detection">HTML/Fraud.EK trojan</COLUMN>
      <COLUMN NAME="Action">contained infected files</COLUMN>
      <COLUMN NAME="User">****\****</COLUMN>
      <COLUMN NAME="Information">Event occurred upon receiving an email by the application: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE (81F64C1E160DACC4A208CC23E3A0FBA7580CEDAB).</COLUMN>
      <COLUMN NAME="Hash">50AA9F094B92600A777F1F1CFB4E9C83796ABD9B</COLUMN>
      <COLUMN NAME="First seen here"></COLUMN>
    </RECORD>
 </LOG>

   
 

Edited by ITInova
Link to post
Share on other sites
  • Administrators

You can switch to the pre-release update channel and wait for a new Internet protection module to become available which should address this issue.

Link to post
Share on other sites
  • 2 weeks later...
On 8/4/2020 at 9:07 PM, Marcos said:

You can switch to the pre-release update channel and wait for a new Internet protection module to become available which should address this issue.

When will it be available? We keep getting the notifications, that a thread has been cleaned many times a day. On one Client it is about 180x/day and on another 100x/day. Please provide an fix as soon as possible. It seems to me, that only deleting the message via a webmailer could help as we cannot see this message in outlook.

Link to post
Share on other sites

We had the same problem with the same virus (HTML/Fraud.EK.trojan).

NOD32 reported the email was cleaned every minute as if a new email was coming in. Cleaned emails were supposed to go to Detected Items in Outlook 2013, but it was empty. Offending email was not in Inbox either.

But when searching Inbox in webmail interface it was there. We deleted email there and then all was good. Seems like a glitch between Outlook 201? and Nod32/ ESET. 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...