Targeting OWA users - A report from the Mailbag
We received a report from Ted of an email campaign targeting OWA users that leads to malware infections, thanks Ted!
UPDATE: Additional information has been provided, there are changing "Subject;" lines and changing obfuscated links for users.
UPDATE 2; ISC contributor Martin Ireland reports message mispelling - "If the OWA message received by server or a user is html text, the word "autentication" can be detected and user alerted, or message be deleted by server etc". Thanks Martin!
UPDATE 3; We've received a few more ISC contributor reports from targeted organizations, and contributor Andrew Yourtchenko had a comment for blocklist mainters and a pointer to a related post last year at Gary Warner's site. His comment was since the ISC "is probably frequented by those who handle these kinds of blocklists, may be useful to draw their explicit attention that there might be users reporting "goodsite.com" - and they should verify before blocking".
Ted's contribution;
Current status: Loading ... queuedwaitingscanningfinishedNOT FOUNDSTOPPED
McAfee
|
5854
|
2010.01.07
|
-
|
McAfee+Artemis
|
5854
|
2010.01.07
|
Artemis!3025B97428A1
|
McAfee-GW-Edition
|
6.8.5
|
2010.01.08
|
Heuristic.BehavesLike.Win32.Trojan.H
|
Current status: finished