On 02/18/2015 01:09 PM, Tonyata wrote:
Posting again as the original post didn't hit the mailing list -
Hi Guys,
Last week my company received a noticeable increase in emails containing MS
office attachments with a Malicious VB script which downloaded something
nasty.
For example Subj - Remittance [Report ID:54400-2187772], attachments were
"10 random chars".xls or Subj - PURCHASE ORDER (34663), attachments
"2600_001".doc
In all cases we receive a couple of thousand emails across the customer base
over a couple of hours, sometimes originating from the same sender (in which
case I blacklist) but more often differing senders/IP's. Historically I add
a rule to pick up on the obvious characteristics - Subj, attachment name etc
and because they are pretty short-lived campaigns it's generally sufficient.
What I'd like to know is -
a) Did any of you see similar?
yes!
b) Do you have any suggestions in order to detect this kind of stuff more
efficiently and on a more generic basis but without introducing FP risk?
Get a decent AV.
Test samples at https://virustotal.com
The results will probably help you make a decision as to which AV
product meets your expectations.
If you don't want to spend on AV the you'll have to look into free
ClamAV signatures :
http://sanesecurity.com/ and others.