Jump to content
Connie

Threat removed pop up

Recommended Posts

Hi

I keep getting the following pop up notice from Eset Internet security telling me a that a fraud threat has been found which Outlook was trying to access. The pop up says that that the threat has now been cleaned, however the pop up keeps opening every 10-15 seconds. How can I stop this popup ? has the fraud file been cleaned ? and deleted ? why does this still popup ?

(HTML/Fraud.EK) from melinda......@yahoo.com

How can I get rid of this and the popup, I already put this address in my blocked senders list but it keeps poppin up.

Many thanks

Connie

 

Share this post


Link to post
Share on other sites

Please provide logs collected with ESET Log Collector so that we, the ESET staff, can get more details about the detections.

Share this post


Link to post
Share on other sites
18 minutes ago, Connie said:

Hi

I keep getting the following pop up notice from Eset Internet security telling me a that a fraud threat has been found which Outlook was trying to access. The pop up says that that the threat has now been cleaned, however the pop up keeps opening every 10-15 seconds. How can I stop this popup ? has the fraud file been cleaned ? and deleted ? why does this still popup ?

(HTML/Fraud.EK) from melinda......@yahoo.com

How can I get rid of this and the popup, I already put this address in my blocked senders list but it keeps poppin up.

Many thanks

Connie

 

Hi I found the logs, how do I send them. I cant copy and paste them ? 

Share this post


Link to post
Share on other sites
Posted (edited)

Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here
03/04/2020 19:28:55;Email filter - Outlook;email message;from: jimXXXXXXX@gmail.com to: undisclosed-recipients: with subject Raphael ;HTML/Fraud.CX trojan;contained infected files;LAPTOP-3TJ605RA\User;Event occurred upon receiving an email by the application: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE.;;

 

virlog.rar

Edited by Marcos
Log moved to a file to save space

Share this post


Link to post
Share on other sites
Posted (edited)

F-Secure has a good description of this here:

Quote

Technical Details

Other:HTML/Fraud detects fraudulent email messages and website HTML.Detections are typically the result of a mismatch in HREF tags used by hyperlinks. The fraudulent message or site is attempting to disguise or obfuscate the hyperlink. Disguised links are used by phishers attempting to lure victims to fraudulent sites in order to steal personal account details.

https://www.f-secure.com/v-descs/other_html_fraud.shtml

My best guess is the sender's e-mail address is spoofed. This is why blocking, melindacz5252@yahoo.com, is not working. You will have to examine in detail the incoming e-mail headers for the actual e-mail address being used.

Also based on your posted Eset log if you are using a third party e-mail provider, I would start looking for another one. Third party e-mail providers are supposed to be scanning all incoming e-mails at their servers prior to forwarding them to the recipient.

Edited by itman

Share this post


Link to post
Share on other sites
Posted (edited)

It also appears $$$Microsoft has built-in spoofing identification into Outlook, but only for the Enterprise versions: https://support.microsoft.com/en-us/office/identify-suspicious-messages-in-outlook-com-and-outlook-on-the-web-3d44102b-6ce3-4f7c-a359-b623bec82206?ui=en-us&rs=en-us&ad=us

Edited by itman

Share this post


Link to post
Share on other sites

It looks like the same email is received via IMAP again and again. What email provider do you use? Is it a company that you work for or a public email provider?

Share this post


Link to post
Share on other sites

Hello

many thanks for your replies. I am afraid I am not very technical when it comes to computers. I have sent the logs to

 samples@eset.com

So lets see what they say

 

Again many thanks it is appreciated.

Share this post


Link to post
Share on other sites

Hi itman

many thanks for your replies and help it is appreciated. 

Connie.

Share this post


Link to post
Share on other sites
Posted (edited)
27 minutes ago, Marcos said:

It looks like the same email is received via IMAP again and again.

Or, the e-mail is not being deleted and the same e-mail is being detected over and over again. The original log posting has been deleted from this thread, but what was shown there leads me to assume this.

@Connie, refer to the below screen shot and set "Action" to Delete and see if this stops these constant Eset alerts:

Eset_Email.thumb.png.7a05cc269eef9ba89856c44ac0598586.png

Edited by itman

Share this post


Link to post
Share on other sites

Hi itman, I will try this and let you know if it works, i have never had this happen previously. 

 

Lets see, again I am most obliged to you for your help.

 

Connie.

Share this post


Link to post
Share on other sites
4 hours ago, Connie said:

many thanks for your replies. I am afraid I am not very technical when it comes to computers. I have sent the logs to

 samples@eset.com

This is not necessary since the threat was detected. At samples@eset.com we do not provide support for other than detection issues and this one is of a technical nature. Would it be possible to get a test account on the mail server that you get your email from?

Share this post


Link to post
Share on other sites
Posted (edited)
On 6/17/2020 at 10:37 AM, Connie said:

Appears the AV scanning of e-mail to their servers is an "add-on" feature: https://www.register365.com/email-hosting/features/anti-virus . If not used, this would explain how all this garbage e-mail is arriving on the local device. Also a factor is what security product is being used. AOL e-mail for example, uses Symantec Endpoint.

Of note is free e-mail providers such as AOL, Google, etc. scan all incoming e-mail when it arrives on their servers and prior to forwarding it to the e-mail recepient.

Edited by itman

Share this post


Link to post
Share on other sites

Please carry on as follows:
- enable advanced logging under Help and support -> Details for technical support
- reproduce the issue
- disable logging
- collect logs with ESET Log Collector and upload the generated archive here.

Share this post


Link to post
Share on other sites
On 7/24/2020 at 9:39 PM, SylyntKnyght said:

Has anyone solved this issue?  These are occurring every 10 mins or so...

I have to close my Outlook client to stop this this threat detection alert from occurring every minute. I even selected "delete emails" under Advanced Setup as posted by ITMAN on June 17.

Share this post


Link to post
Share on other sites
6 hours ago, Eddie said:

I have to close my Outlook client to stop this this threat detection alert from occurring every minute. I even selected "delete emails" under Advanced Setup as posted by ITMAN on June 17.

Please read the instructions for collecting logs above and upload an archive generated by ESET Log Collector here.

Share this post


Link to post
Share on other sites
On 7/31/2020 at 11:39 PM, Eddie said:

I have to close my Outlook client to stop this this threat detection alert from occurring every minute. I even selected "delete emails" under Advanced Setup as posted by ITMAN on June 17.

We had similar cases where emails were repeatedly detected every few minutes. Please try to log in to your email via the web interface, search for the detected email and delete it manually.

Share this post


Link to post
Share on other sites
Posted (edited)

Hi there. I'm having the same problem. The email was deleted from 'Detected Items' and from 'Trash' and the pop-up keeps showing. The user have many email accounts configured on Outlook so i'm not sure which one had the infected email.

Any help please?

Thank you in advance. :)


Here are the logs:

 

Quote

</RECORD>
    <RECORD>
      <COLUMN NAME="Time">04/08/2020 12:45:31</COLUMN>
      <COLUMN NAME="Scanner">IMAP filter</COLUMN>
      <COLUMN NAME="Object type">email message</COLUMN>
      <COLUMN NAME="Object">from: Lilian Christophe &lt;lilianchrstph@gmail.com&gt; with subject Hello Dear Are you available? dated Mon, 3 Aug 2020 12:32:31 +0000 (UTC) </COLUMN>
      <COLUMN NAME="Detection">HTML/Fraud.EK trojan</COLUMN>
      <COLUMN NAME="Action">contained infected files</COLUMN>
      <COLUMN NAME="User">****\****</COLUMN>
      <COLUMN NAME="Information">Event occurred upon receiving an email by the application: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE (81F64C1E160DACC4A208CC23E3A0FBA7580CEDAB).</COLUMN>
      <COLUMN NAME="Hash">50AA9F094B92600A777F1F1CFB4E9C83796ABD9B</COLUMN>
      <COLUMN NAME="First seen here"></COLUMN>
    </RECORD>
 </LOG>

   
 

Edited by ITInova

Share this post


Link to post
Share on other sites

I am getting the same message as Melinda on a regular basis whenever Outlook is open

Share this post


Link to post
Share on other sites

You can switch to the pre-release update channel and wait for a new Internet protection module to become available which should address this issue.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...