jeifabdi 1 Posted March 17 Posted March 17 The customer reports a growing increase in malware detections in recent days in the security solution ESET Cloud Office Security, reports sending emails from the email account soporte@yumbolon.com, and this account is used to receive support emails, not for sending emails, that account is used with spyceworks for receiving support cases, the case numbers generated is very different from the numbering used in the production environment of the client. the customer changed the credentials of the account soporte@yumbolon.com, but still continues to report sending emails. The customer indicates that the polylon.com domain is not in use, but in the MXTOOLBOX tool it reports the same TXT record for both domains. The customer is concerned that the protection may have decreased protection
ESET Staff Solution product_manager_8 5 Posted March 19 ESET Staff Solution Posted March 19 Hi @jeifabdi, it is possible that someone is impersonating the "support" email but the real "from" address is actually different. If you have these emails in quarantine, go there, click on any one of them that says it´s coming from "support", and once you´re in the email´s detail page, you will see a link that says "show headers". If you click that, you will see the email headers and you can compare whether the "sender" field and "return path" fields are the same. If they are completely different, even on a different domain, it is likely that somebody is trying to impersonate the support sender.
Recommended Posts