Hi, > SpamAssassin has plugins for PhishTank and OpenPhish. I would suggest > you submit the link to them. > You can also reach out to the domain provider, hosting provider(s) and > other companies involved.
> > https://pastebin.com/JMSrY6KU We've got to do better than that. These O365 phishing attacks are significant and severe and constant. I modified the ExtractText plugin to also process HTML files extracttext_external htmlcat /usr/bin/cat {} extracttext_use htmlcat .htm .html then created the following rule to look for <script> in the data stream, and combined it with a few existing rules that identify malformed HTML. body __LOC_HTML_SCRIPT /\<script\>/i meta LOC_HTML_BAD_SCRIPT (__LOC_HTML_SCRIPT && (T_HTML_ATTACH || T_OBFU_HTML_ATTACH || HTML_MIME_NO_HTML_TAG)) score LOC_HTML_BAD_SCRIPT 5.00 describe LOC_HTML_BAD_SCRIPT HTML with bad javascript Someone with a better ability to identify what's bad and unique about this javascript would probably be able to do better. Unless javascript in an HTML attachment is never a good thing, and can always be blocked? I'm surprised it took them this long to start doing this, or at least reaching my systems.
