raimund 0 Posted September 23, 2020 Share Posted September 23, 2020 (edited) How can this be handled? or maked as spam? Such mails currently occur more frequently and the attachments are packed. Inside are Office Docs with nasty macros, which are mostly not recognized.... SPF Checks and DKIM is all OK From: "known.customer@trusteddomain.com" <evil@nasty.com> Date: Wed, dd Sep 2020 hh:mm:ss +0000 To: mymailbox@mydomain.com Subject: knownsubject MIME-Version: 1.0 X-Mailer: Microsoft Outlook 16.0 Content-Type: multipart/mixed; boundary=067204a8992001fcc2d3323ef782a184 Message-ID: <xyz@mail01.mydomain.local>Return-Path: evil@nasty.com X-MS-Exchange-Organization-Network-Message-Id: 788513ff-5f7a-4da7-0e08-08d85faede96 X-ESET-AS: R=OK;S=0;OP=CALC;TIME=1600858394;VERSION=7861;MC=3420289152;TRN=2002;CRV=0;IPC=xxx.xxx.xxx.xxx;SP=0;SIPS=3;PI=3;F=0 X-ESET-Antispam: OK X-EsetResult: clean, is OK X-EsetId: 37303A29237BEC6B6D7C62 X-MS-Exchange-Organization-AuthSource: mail01.mydomain.local X-MS-Exchange-Organization-AuthAs: Anonymous X-MS-Exchange-Transport-EndToEndLatency: 00:00:01.4010310 X-MS-Exchange-Processed-By-BccFoldering: 15.01.1847.009 Edited September 23, 2020 by raimund Link to comment Share on other sites More sharing options...
ESET Staff M.K. 12 Posted September 24, 2020 ESET Staff Share Posted September 24, 2020 Hi, have you tried using custom rules with the combinations of conditions From header - address From header - display name? You can also have all macro-enabled office documents quarantined, using the Attachment type condition. Peter Randziak 1 Link to comment Share on other sites More sharing options...
raimund 0 Posted September 24, 2020 Author Share Posted September 24, 2020 (edited) Hi! I tried to use custom rules, but I was not able to combine the two From Headers, or to compare/differentiate (params), or I failed in the implementation. Quarantining Macro enabled Docs is clear to me, but does not solve the special problem of spoofing... also having a rule which checks for macros, but this macro was in office doc which was zipped... How can I build such a rule? The conditions are AND conditions... and how params should used? Edited September 24, 2020 by raimund Link to comment Share on other sites More sharing options...
itman 1,497 Posted September 24, 2020 Share Posted September 24, 2020 (edited) Unless you use Office macros internally, they should be permanently disabled or restricted via Group Policy: https://4sysops.com/archives/restricting-or-blocking-office-2016-2019-macros-with-group-policy/ . Optionally, Internet-based based only macros can be disabled: Quote Do not run macros from the internet ^ A new addition to Office 2016 is the ability to block only code in documents that originate from the internet. You can configure it separately for each application and can also find it under Security > Trust Center ("Block macros from running in Office files from the Internet"). Edited September 24, 2020 by itman Link to comment Share on other sites More sharing options...
raimund 0 Posted September 24, 2020 Author Share Posted September 24, 2020 Hi! Thank you for the information. my problem is not macros, my problem is mail spoofing, pls see mail header... Link to comment Share on other sites More sharing options...
itman 1,497 Posted September 24, 2020 Share Posted September 24, 2020 58 minutes ago, raimund said: my problem is not macros, my problem is mail spoofing, pls see mail header... FYI: https://blog.ironbastion.com.au/email-impersonation-scams-phishing-what-your-staff-can-do/ Link to comment Share on other sites More sharing options...
raimund 0 Posted September 24, 2020 Author Share Posted September 24, 2020 11 minutes ago, itman said: FYI: https://blog.ironbastion.com.au/email-impersonation-scams-phishing-what-your-staff-can-do/ perfekt article.... thank you but what in case of this... SPF+DKIM Checks are OK From: "known.customer@customersdomain.com" <evil@nasty.com>Return-Path: evil@nasty.com ? both sender are outside my network, but the one under the "" is my customer, the <> is the problem. you know outlook, the problem is the user, which believe this mail is will not be harmful, because it was sent by the customer, but at this time it's too late... blocking the nasty.com after receiving is too late. maybe next time mails came from: "antoher.customer@theirdomain.com" <bad@sender.com> Link to comment Share on other sites More sharing options...
itman 1,497 Posted September 24, 2020 Share Posted September 24, 2020 See if this posting helps: https://forum.eset.com/topic/14855-spoofed-email-address/ filips 1 Link to comment Share on other sites More sharing options...
ESET Staff filips 44 Posted September 25, 2020 ESET Staff Share Posted September 25, 2020 Hi raimund, Attachment type rules are evaluated on all files in archives - zipped document with macro will be caught by the rule (unless it's password protected). Rules support only comparing of static strings so it is not possible to compare From: and Return-Path: headers. Not a perfect solution, but something like this should do the job: From Header - display name contains one of [@customer1.com, @customer2.com] Message headers do not match regular expression "\nReply-To: .*(@customer1.com|customer2.com)" Link to comment Share on other sites More sharing options...
raimund 0 Posted September 29, 2020 Author Share Posted September 29, 2020 Hi all, thanks for the hints.... Link to comment Share on other sites More sharing options...
mlltech 0 Posted October 21, 2020 Share Posted October 21, 2020 On 9/25/2020 at 10:14 AM, filips said: Hi raimund, Attachment type rules are evaluated on all files in archives - zipped document with macro will be caught by the rule (unless it's password protected). Rules support only comparing of static strings so it is not possible to compare From: and Return-Path: headers. Not a perfect solution, but something like this should do the job: From Header - display name contains one of [@customer1.com, @customer2.com] Message headers do not match regular expression "\nReply-To: .*(@customer1.com|customer2.com)" Excuse me, but that's not very useful. What if the spammer/spoofer uses a different email every day? We can't simply add manually rules everyday, or add all the domains we interact with to different rules. I've exactly the same problem as raimund. Malicious attachments undetected by ESET and many other vendors (they get detected after few days), with the from address spoofed (reply-to is another address, similar to the spoofed one). Isn't there anything else that can be done? I've already configured rules to quarantine all emails with macros-enabled attachments, but I got one today that contains a malicious Excel in xls format, not xlsm. It's not possible to simply quarantine all emails that include a xls file Link to comment Share on other sites More sharing options...
Administrators Marcos 4,552 Posted October 21, 2020 Administrators Share Posted October 21, 2020 1 hour ago, mlltech said: I've exactly the same problem as raimund. Malicious attachments undetected by ESET and many other vendors (they get detected after few days), with the from address spoofed (reply-to is another address, similar to the spoofed one). Please provide us with more information about the malware that goes undetected through ESET. Is it executables? Office documents? HTML files or some other kind of files? Have you considered trying out ESET Dynamic Threat Defense for automated replication of received files in ESET's cloud sandbox? As for the other queries, I'll leave them to @filipsor @M.K. to respond. Link to comment Share on other sites More sharing options...
mlltech 0 Posted October 26, 2020 Share Posted October 26, 2020 On 10/21/2020 at 3:00 PM, Marcos said: Please provide us with more information about the malware that goes undetected through ESET. Is it executables? Office documents? HTML files or some other kind of files? Have you considered trying out ESET Dynamic Threat Defense for automated replication of received files in ESET's cloud sandbox? As for the other queries, I'll leave them to @filipsor @M.K. to respond. It's an xls file, containing a macro. It seems to be detected now (trojandownloader something). @filips@M.K. I would really appreciate any help here Link to comment Share on other sites More sharing options...
Administrators Marcos 4,552 Posted October 26, 2020 Administrators Share Posted October 26, 2020 In order to take a specific action on macro-enabled Office documents, please refer to https://help.eset.com/emsx/7.0/en-US/idh_config_mailserver_rules.html: I would strongly recommend trying out ESET Dynamic Threat Defense for instant protection from new email threats. Link to comment Share on other sites More sharing options...
mlltech 0 Posted October 30, 2020 Share Posted October 30, 2020 On 10/26/2020 at 9:53 AM, Marcos said: In order to take a specific action on macro-enabled Office documents, please refer to https://help.eset.com/emsx/7.0/en-US/idh_config_mailserver_rules.html: I would strongly recommend trying out ESET Dynamic Threat Defense for instant protection from new email threats. Yes, we have this enabled, but more important that a file going undetected is the fact that spoofers can bypass all filters. From my original message: "What if the spammer/spoofer uses a different email every day? We can't simply add manually rules everyday, or add all the domains we interact with to different rules." Regards Link to comment Share on other sites More sharing options...
Recommended Posts