Threat removed pop up

[Connie 0]

Hi

I keep getting the following pop up notice from Eset Internet security telling me a that a fraud threat has been found which Outlook was trying to access. The pop up says that that the threat has now been cleaned, however the pop up keeps opening every 10-15 seconds. How can I stop this popup ? has the fraud file been cleaned ? and deleted ? why does this still popup ?

(HTML/Fraud.EK) from melinda......@yahoo.com

How can I get rid of this and the popup, I already put this address in my blocked senders list but it keeps poppin up.

Many thanks

Connie

 

[Marcos 4,712]

Please provide logs collected with ESET Log Collector so that we, the ESET staff, can get more details about the detections.

[Connie 0]

18 minutes ago, Connie said:

Hi

I keep getting the following pop up notice from Eset Internet security telling me a that a fraud threat has been found which Outlook was trying to access. The pop up says that that the threat has now been cleaned, however the pop up keeps opening every 10-15 seconds. How can I stop this popup ? has the fraud file been cleaned ? and deleted ? why does this still popup ?

(HTML/Fraud.EK) from melinda......@yahoo.com

How can I get rid of this and the popup, I already put this address in my blocked senders list but it keeps poppin up.

Many thanks

Connie

 

Hi I found the logs, how do I send them. I cant copy and paste them ? 

[Connie 0]

Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here
03/04/2020 19:28:55;Email filter - Outlook;email message;from: jimXXXXXXX@gmail.com to: undisclosed-recipients: with subject Raphael ;HTML/Fraud.CX trojan;contained infected files;LAPTOP-3TJ605RA\User;Event occurred upon receiving an email by the application: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE.;;

 

virlog.rar

Edited June 17, 2020 by Marcos
Log moved to a file to save space

[itman 1,541]

F-Secure has a good description of this here:

Quote

Technical Details

Other:HTML/Fraud detects fraudulent email messages and website HTML.Detections are typically the result of a mismatch in HREF tags used by hyperlinks. The fraudulent message or site is attempting to disguise or obfuscate the hyperlink. Disguised links are used by phishers attempting to lure victims to fraudulent sites in order to steal personal account details.

https://www.f-secure.com/v-descs/other_html_fraud.shtml

My best guess is the sender's e-mail address is spoofed. This is why blocking, melindacz5252@yahoo.com, is not working. You will have to examine in detail the incoming e-mail headers for the actual e-mail address being used.

Also based on your posted Eset log if you are using a third party e-mail provider, I would start looking for another one. Third party e-mail providers are supposed to be scanning all incoming e-mails at their servers prior to forwarding them to the recipient.

Edited June 17, 2020 by itman

[itman 1,541]

It also appears $$$Microsoft has built-in spoofing identification into Outlook, but only for the Enterprise versions: https://support.microsoft.com/en-us/office/identify-suspicious-messages-in-outlook-com-and-outlook-on-the-web-3d44102b-6ce3-4f7c-a359-b623bec82206?ui=en-us&rs=en-us&ad=us

Edited June 17, 2020 by itman

[itman 1,541]

This article gets into how to track down spoofed e-mail addresses: https://lifehacker.com/how-can-i-find-out-why-my-email-account-just-spammed-my-5875848

[Marcos 4,712]

It looks like the same email is received via IMAP again and again. What email provider do you use? Is it a company that you work for or a public email provider?

[Connie 0]

Hello

many thanks for your replies. I am afraid I am not very technical when it comes to computers. I have sent the logs to

 samples@eset.com

So lets see what they say

 

Again many thanks it is appreciated.

[Connie 0]

Hi Marcos

the email provider is not a company that I work for. 

I am useing https://www.register365.com/email-hosting/features/webmail

for the affected account  info@scotiaireland.ie

Many thanks Marcos for getting back to me so quickly it is appreciated.

Connie

[Connie 0]

Hi itman

many thanks for your replies and help it is appreciated. 

Connie.

[itman 1,541]

27 minutes ago, Marcos said:

It looks like the same email is received via IMAP again and again.

Or, the e-mail is not being deleted and the same e-mail is being detected over and over again. The original log posting has been deleted from this thread, but what was shown there leads me to assume this.

@Connie, refer to the below screen shot and set "Action" to Delete and see if this stops these constant Eset alerts:

Edited June 17, 2020 by itman

[Connie 0]

Hi itman, I will try this and let you know if it works, i have never had this happen previously. 

 

Lets see, again I am most obliged to you for your help.

 

Connie.

[Marcos 4,712]

4 hours ago, Connie said:

many thanks for your replies. I am afraid I am not very technical when it comes to computers. I have sent the logs to

 samples@eset.com

This is not necessary since the threat was detected. At samples@eset.com we do not provide support for other than detection issues and this one is of a technical nature. Would it be possible to get a test account on the mail server that you get your email from?

[itman 1,541]

On 6/17/2020 at 10:37 AM, Connie said:

I am using https://www.register365.com/email-hosting/features/webmail

Appears the AV scanning of e-mail to their servers is an "add-on" feature: https://www.register365.com/email-hosting/features/anti-virus . If not used, this would explain how all this garbage e-mail is arriving on the local device. Also a factor is what security product is being used. AOL e-mail for example, uses Symantec Endpoint.

Of note is free e-mail providers such as AOL, Google, etc. scan all incoming e-mail when it arrives on their servers and prior to forwarding it to the e-mail recepient.

Edited June 18, 2020 by itman

[SylyntKnyght 0]

Has anyone solved this issue?  These are occurring every 10 mins or so...

[Marcos 4,712]

Please carry on as follows:
- enable advanced logging under Help and support -> Details for technical support
- reproduce the issue
- disable logging
- collect logs with ESET Log Collector and upload the generated archive here.

[Eddie 0]

On 7/24/2020 at 9:39 PM, SylyntKnyght said:

Has anyone solved this issue?  These are occurring every 10 mins or so...

I have to close my Outlook client to stop this this threat detection alert from occurring every minute. I even selected "delete emails" under Advanced Setup as posted by ITMAN on June 17.

[Marcos 4,712]

6 hours ago, Eddie said:

I have to close my Outlook client to stop this this threat detection alert from occurring every minute. I even selected "delete emails" under Advanced Setup as posted by ITMAN on June 17.

Please read the instructions for collecting logs above and upload an archive generated by ESET Log Collector here.

[notimportant 5]

On 7/31/2020 at 11:39 PM, Eddie said:

I have to close my Outlook client to stop this this threat detection alert from occurring every minute. I even selected "delete emails" under Advanced Setup as posted by ITMAN on June 17.

We had similar cases where emails were repeatedly detected every few minutes. Please try to log in to your email via the web interface, search for the detected email and delete it manually.

[ITInova 0]

Hi there. I'm having the same problem. The email was deleted from 'Detected Items' and from 'Trash' and the pop-up keeps showing. The user have many email accounts configured on Outlook so i'm not sure which one had the infected email.

Any help please?

Thank you in advance.

Here are the logs:

 

Quote

</RECORD>
    <RECORD>
      <COLUMN NAME="Time">04/08/2020 12:45:31</COLUMN>
      <COLUMN NAME="Scanner">IMAP filter</COLUMN>
      <COLUMN NAME="Object type">email message</COLUMN>
      <COLUMN NAME="Object">from: Lilian Christophe &lt;lilianchrstph@gmail.com&gt; with subject Hello Dear Are you available? dated Mon, 3 Aug 2020 12:32:31 +0000 (UTC) </COLUMN>
      <COLUMN NAME="Detection">HTML/Fraud.EK trojan</COLUMN>
      <COLUMN NAME="Action">contained infected files</COLUMN>
      <COLUMN NAME="User">****\****</COLUMN>
      <COLUMN NAME="Information">Event occurred upon receiving an email by the application: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE (81F64C1E160DACC4A208CC23E3A0FBA7580CEDAB).</COLUMN>
      <COLUMN NAME="Hash">50AA9F094B92600A777F1F1CFB4E9C83796ABD9B</COLUMN>
      <COLUMN NAME="First seen here"></COLUMN>
    </RECORD>
 </LOG>

   
 

Edited August 4, 2020 by ITInova

[KenMaser 0]

I am getting the same message as Melinda on a regular basis whenever Outlook is open

[Marcos 4,712]

You can switch to the pre-release update channel and wait for a new Internet protection module to become available which should address this issue.

[thusmann 0]

On 8/4/2020 at 9:07 PM, Marcos said:

You can switch to the pre-release update channel and wait for a new Internet protection module to become available which should address this issue.

When will it be available? We keep getting the notifications, that a thread has been cleaned many times a day. On one Client it is about 180x/day and on another 100x/day. Please provide an fix as soon as possible. It seems to me, that only deleting the message via a webmailer could help as we cannot see this message in outlook.

[RHP 0]

We had the same problem with the same virus (HTML/Fraud.EK.trojan).

NOD32 reported the email was cleaned every minute as if a new email was coming in. Cleaned emails were supposed to go to Detected Items in Outlook 2013, but it was empty. Offending email was not in Inbox either.

But when searching Inbox in webmail interface it was there. We deleted email there and then all was good. Seems like a glitch between Outlook 201? and Nod32/ ESET.