Jump to content

PowDow.OB detected by Office 365


Recommended Posts

My client's Office 365 online virus detector is flagging outbound emails from the user with Word docs infected with PowDow.OB macro virus. I have run both Sophos and Malwarebytes with the most current definitions and neither are detecting the virus or the malware causing the virus infected emails to be sent out. The emails were not ones which the user sent out.  Anyone else encountered the PowDow.OB yet? Any ideas on to how to proceed?

Link to post
Share on other sites

Hey, Daveroo. I just went through this myself a week or two ago. When viewing the blocked messages in the Security and Compliance Quarantine area you can look at the headers of those messages. There's even a link to the Message Header Analyzer on that same pane. Paste your headers in there and verify that the From and Return-Path actually both have your domain. In our case, it was an externally generated spoofed email impersonating my users and to get around SPF blocking they used a valid domain in the Return-Path.

Office 365 Support was also able to analyze the headers and confirm that type of mail attack (external or internal, with credentials or without) and verify it was an external attack just spoofing the From address. This is verified by looking at the source servers and IP addresses and seeing if they come from one of your IP addresses or networks.

This led me on a quest to implement DMARC and DKIM as well as shore up our SPF records. There are lots of good resources out there for implementing those standards and it has been going well for us. In theory, once I'm comfortable that the implementation isn't going to block legitimate email I can get more agressive with the DMARC record and ask messages that don't pass to be quarantined even if they don't have viruses.


Best of luck!

Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.