Jump to content

billmobile1

Members
  • Content Count

    10
  • Joined

  • Last visited

About billmobile1

  • Rank
    New Member
  1. Of the four affected workstations, none have had this happen again since yesterday morning, and out of around 500 seats, we haven't had any new reports of it.
  2. See attached! Thanks! mbst-grab-results.zip
  3. This started to occur yesterday mid-morning. It seems isolated to the few remaining Windows 7 workstations still in the environment (or at the least, no Win 10 box has had it happen)... The workstations seeing this do not have any shared file in common that they all may have opened (the affected are among a couple of different divisions), and all of the workstations scan clean and Im told they have nothing surprising in the Event Viewer logs. I was wondering if anyone else was experiencing this, or if this might be a known false positive; I know there are a few people with issues of Anti Exploit blocking Excel from launching, and wasnt sure if this might be a wider reaching issue. The email notice is: Exploit attempt blocked BLOCK staffda Microsoft Office Excel C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE Attacked application: C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE; Parent process name: ; Layer: Application Behavior Protection; API ID: 900; Address: ; Module: ; AddressType: ; StackTop: ; StackBottom: ; StackPointer: ; Extra: Thanks!
  4. I ran into this a couple of times over the last six months, and this is what I found; I'm sure it could be different for others, I thought I would share my experiences in case it helps anyone. A malicious email was opened, and a link is clicked which prompts the user to enter O365 credentials to retrieve a document. After the credentials are provided, the document us unable to be downloaded/opened (not sure which, and I dont have access to my sandbox right now to check); At that point either a script is run or a person manually creates a rule on the O365 portal to deliver replies to the RSS Feeds folder (the more recent version of this was much more sloppy and had ALL incoming mail delivering to RSS). The rule doesnt appear in the local copy of Outlook... portal only. The script also seems to prevent Sent copies from being created. In both cases, we never found any sort of payload other than the possibility of the script being run, so this appears to be an effort to harvest email addresses. I'd imagine there are other iterations out there, but the two times Ive seen this over the past six months both, were basically this. I hope that helps someone!
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.