Jump to content
guyg1

Malwarebytes successfully blocking Outlook access to potentially malicious

Recommended Posts

I am getting a pop up about once every time i send and receive on outlook 2016 reporting that Malwarebytes is blocking access to a potentially malicious

Category: Unspecified
Domain: u1214497.ct.sendgrid.net
IP Address: 167.89.118.35
Port: [52538]
Type: Outbound
File: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

 

its been this way for a few days now and i get the popup 10 to 20 times a day

malware.txt

Share this post


Link to post
Share on other sites

+1 here.  One of my clients just started experiencing this and if experience is to be an accurate indicator, I'm sure I will be getting a lot more calls soon.  My question to support would be, should we add this site to the exceptions, or is it a real threat?

 

Robert

Share this post


Link to post
Share on other sites

Thanks for this report, this should be resolved in our next database update. We put a  block on the domain due to some traffic coming from there, but have reduced it to block a specific subdomain of this primary domain

UPDATE

The block is being removed.

We're doing some more research into this and seeing strange traffic on this site which may warrant a full block. Before we do that though, we're trying to gather some information. Most likely this email is being used in an email campaign, which is why it's showing up in outlook. If possible, would anyone be willing to export an email that seems to be triggering this detection and send it to dcollins@malwarebytes.com so we can research it? Thanks

Edited by dcollins

Share this post


Link to post
Share on other sites

I have an email that triggers detection Devin and would be happy to send to you but I don't know what you mean by 'export' or how I do that.

Share this post


Link to post
Share on other sites

@Justsaying Can you also post your protection log? I am currently working this issue and should have a solution soon. As soon as I do I will update this thread.

Thank you for your patience.

Share this post


Link to post
Share on other sites

In addition to sendgrid.net, we're also seeing repeated cirrusinsight.com blocks from Outlook.  Will that also be addressed?

Share this post


Link to post
Share on other sites

We are curious to know why an idle Outlook program is trying to reach out to these blocked sites??  The user wasn't even using her laptop at the time and so strikes us as very strange behavior.  Is Malwarebytes Endpoint Protection perhaps analyzing emails landing in the Junk folder, triggering a block?

Share this post


Link to post
Share on other sites

@scfscf Malwarebytes doesn't actively scan any emails. Most likely the outlook policy on these devices is set to automatically load external content (images and/or previews of links) so when the email comes in, outlook attempts to pre-load that data and it gets blocked.

Share this post


Link to post
Share on other sites

This started a few days ago.  I'm getting malicious popups also.  Mainly from NextDoor Neighborhood Support email to me:  help@hs.email.nextdoor.com

Also, I cannot access: sendgrid.net    Can't someone fix this?  It appears from this thread (and possibly others I haven't checked) that this is an ongoing "NEW" problem.  I hope it is fixed soon. 

Share this post


Link to post
Share on other sites

The issue should now be resolved. Please update your databases.

Sorry for the delay folks.

Share this post


Link to post
Share on other sites

Thank you.  But, how do you update the database?  I see nothing about that.  Here are my stats:

 Version:  3.3.1.2183
 Component package version: 1.0.262
 Update package version: 1.0.3952

 

Share this post


Link to post
Share on other sites
3 minutes ago, tlspiegel said:

I think the problem has resolved, but still would like to know how to update the database.  Thank you.

Click the word/link "current" By default MB checks for updates hourly.

database.png

Edited by Porthos

Share this post


Link to post
Share on other sites

You can also check your database number under Settings -> About. This was fixed in 1.0.3948, so as long as you have a number above that, you should be good to go5a84799e8e5fc_ScreenShot2018-02-14at10_01_43AM.png.62f619215e2981720646295fc303d956.png

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.