Re: another one phishing for a bite
  By: August Abolins to mark lewis on Tue Mar 31 2020 20:33:00


 ml>> not really because now others of us cannot look up that
 ml>> information and set blocks or filters in our IDS/IPS ;)

 AA> Oh..  I see.  Good point.  But couldn't http://march262020.* work in a  
filter?


that depends on the language used... IDS/IPS do not use DOS style... neither
does clamav, dspam, or similar content scanners...


 AA> But, FYI, replace "####" with "club".   No point keeping it a
 AA> secret if the goal is to help protect others.


thanks...


 AA> BTW, although it is far easier to just drop the phishing
 AA> email/attachment with the delete key, we can parse the file,
 AA> extract the clear-text and share the http:// strings found
 AA> therein.


or our content scanner can detect the byte sequences and pass or fail the
item...


 AA> Obviously, the macro in the original .xls file relied on Excel
 AA> functions to run a macro to fetch a bot from a website and launch
 AA> the payload.


yep... this is why the setting to allow macros and/or executing startup macros
should be OFF these days...


)\/(ark
--- SBBSecho 3.10-Linux