Suspicious email situation

Robbo · 19 Jan 2016 at 13:21

One of our work emails has just apparently sent out an email titled 'More scans' which presumably includes some sort of malicious object. It's gone to 2 of our other work email addresses and the 1and1 built in virus scanner has cut the emails off before they were delivered.

Now, as far as I can tell the computer in question that the email has supposedly been sent from is completely secure. However, this address does regularly get dodgy emails in to it, which are usually deleted and not opened. The system has Avast and MBAM is run weekly, and standard Windows 10 firewall.

Outlook is what all the email addresses are running on, but they're also available via Webmail on 1and1. There is nothing in the Outlook sent folder regarding this suspicious email either.

Anything I should do? Is this a botnet related problem?

BuToNz · 19 Jan 2016 at 13:33

Spoofed email likely. Change email password and move on if you are sure there is no virus on the machine.

A lot of it going around at the moment, it's literally half of the tickets we get on the support desk currently.

Robbo · 19 Jan 2016 at 13:38

I'm running an Avast boot scan to make sure. Anything else you'd recommend, that could be able to detect something more specific perhaps? MBAM says the machine is clear.

Rroff · 19 Jan 2016 at 13:43

Does the full email header definitely narrow it back to a sender with an IP owned/officially related to your business?

mysticsniper · 19 Jan 2016 at 13:44

This fake scanned document appears to come from admin@ the victim's own domain. There is no body text in the email.

From: admin [[email protected]]
Date: 19 January 2016 at 09:42
Subject: More scans
I have seen just a single sample with a document named DOC201114-201114-001.DOC According to VT it has a detection rate of 4/53

Once the user opens the document, it downloads malware from the following address

hxxp://www.cnbhgy[.]com/786585d/08g7g6r56r[.]exe

Modified the URL to avoid accidental clicks

This download location was used in a previous spam run but the payload has now changed, however it is still the Dridex banking trojan.

You should block the senders address and the above URL.

Robbo · 19 Jan 2016 at 13:48

Rroff said:
Does the full email header definitely narrow it back to a sender with an IP owned/officially related to your business?

As 1and1 filtered it, it doesn't have any IP info. One of our email addresses is an admin@ address, which made me assume it's come from that, but looking at the below, it could be a coincidence and they've just spoofed it based on our normal web address...

mysticsniper said:
This fake scanned document appears to come from admin@ the victim's own domain. There is no body text in the email.

From: admin [[email protected]]
Date: 19 January 2016 at 09:42
Subject: More scans
I have seen just a single sample with a document named DOC201114-201114-001.DOC According to VT it has a detection rate of 4/53

Once the user opens the document, it downloads malware from the following address

hxxp://www.cnbhgy[.]com/786585d/08g7g6r56r[.]exe

Modified the URL to avoid accidental clicks

This download location was used in a previous spam run but the payload has now changed, however it is still the Dridex banking trojan.

You should block the senders address and the above URL.

It sounds like this, yeah.

Hmmmm....

Rroff · 19 Jan 2016 at 15:09

Can you not view the full header information? even my filters still leave that intact to view.

demonix · 20 Jan 2016 at 17:26

Don't worry about this as the address is 100% being spoofed since I've received exactly the same email on both of my yahoo account supposedly sent from yahoo, but both were delivered to the spam folder since at least someone is on the ball.