Jump to content

Outlook attachments causing "Exploit payload from UNC blocked"


Recommended Posts

Summary:

When in Outlook, clicking "Attach File," browsing, then clicking on the "Desktop" shortcut, Outlook is closed and Malwarebytes Anti-Exploit reports that an "Exploit Payload from UNC Blocked."

Detailed steps to replicate:

  1. Open Outlook (occurs with both 2013 and 2016)
  2. Create a new email.
  3. Click "Attach Files," (then "Browse this PC..." if in Outlook 2016)
  4. Click on the "Desktop" shortcut. (Navigating to the C:\Users\<username>\Desktop folder does not cause the problem; only clicking the shortcut does.)
  5. Outlook is immediately force-closed, and the user is presented with the dialog box in Attachment-1.png. (The "file/process blocked" is an EXE on a UNC share, that has been redacted for security reasons. The EXE is *not* a running program, but has been run by that computer in the past.)
  6. The user may then be prompted with the dialog box in Attachment-2.png. (The "following exploit file..." appears to be a randomly selected file located local to the computer. In both instances where I've seen this message, it's a PDF file. It is not the same file as in Attachment-1.png.)
  7. If the user has full permissions to the UNC share, the file from Attachment-1.png is removed from the server and quarantined.

Additionally, in the process of creating this post, I had the same thing happen from within Google Chrome when I tried attaching the picture.

Anti-Exploit is version 1.09.2.1261 on all affected computers.

This behavior was first noticed today (11/17/2016). The first report came in at 8:59 AM CST (2:59 PM UTC).

Any advice? Is this a new behavior in Anti-Exploit that is going awry?

Attachment-1.png

Attachment-2.png

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.