>On Monday, July 12, 2021, 04:01:03 AM GMT+2, Kevin A. McGrail <kmcgr...@apache.org> wrote: >If you can get me a spample, I'm sure I can tell you but in general we >block macros so that's all that's needed. Likely the OLEVBMacro plugin >and KAM ruleset is blocking all of these already if you have the plugin >enabled.
The inital email has not a macro... they use an old MS feature where a document marks itself as "incomplete" andtells MS Office App where to download the missing part, that contains the payload. To my knowledge (very limited) only zipped versions of MS files can use that feature. Within them, there are 2 data structures to checkif you want to find prizes... -----Pedro.
