Email with link to blocked site

[Mark_Albrosco]

Malwarebytes Cloud Protection reported a blocked website for one of my users.

Investigation revealed that the user did not browse to the site, but an email received from a supplier contact when opened in the preview pane of Outlook Web Access immediately results in a series of popups from Malwarebytes Endpoint Protection as below:

I checked the URL using

 virustotal.com 

and the results were as follows:

I've attached a zip file containing the email - I'd like it to be analyzed so that I can report what is causing the email to attempt to make an outbound connection. I also intend to contact our supplier and alert them to this issue, so that they can take appropriate action

Mark.

Email-CrossBrowser-blocked.zip

[Mark_Albrosco]

The following was also reported by Malwarebytes Endpoint Protection in relation to this item

[Mark_Albrosco]

Topic moved to Malwarebytes Endpoint Protection as per email from David H. Lipman

 

[David H. Lipman]

I mistakenly posted that request when it was to be an Administration Flag for action.  I deleted the post and Flagged the thread to be moved by the Forum Admin.

My apology for any confusion that action may have caused.  

[Mark_Albrosco]

Hey David - no worries. As long as the analysis is done and I can get insight on this item. Cheers

[Mark_Albrosco]

Hi David - anyway to know if the analysis of the email attachment is in progress?

[David H. Lipman]

I'm sorry that no staff has replied to your topic.  Maybe a "bump" is in order.

Ping @djacobson

Edited December 12, 2018 by David H. Lipman

[Zynthesist]

We are not blocking the hostname from your block but we are blocking the parent:

*.gnway.cc

Block is for Trojan.XLoader.FakeSpy

One blocked example here:

https://houtaijp.gnway.cc/


https://www.virustotal.com/#/url/39e40a8b0909bb622f270b464268b2f6364a7678839a8b740bb42d5a7dd6d78c/detection

 

[Mark_Albrosco]

Thanks Zynthesist - the host (onlykem) is a supplier; users get email from them on occasion.

As soon as the email is opened, the user receives "blocked site" notifications.

They haven't clicked any links in the email, so I'm having trouble understanding what about the email is causing the attempts to launch the site.

I'm suspecting maybe the images in the signature line, or something of that nature, might be the culprit? But I was hoping Malwarebytes Labs could confirm

Maybe I should inform the supplier of the experience?

[Zynthesist]

Are you able to hover your mouse (without clicking) over the images or any links in the email and see the details? 

[Mark_Albrosco]

Below is an image of the only area that contains any links in the email - hovering over the URLs shows a link that matches the hypertext (so it's not a redirect to a bad site). The section above the contact info, is an image - hovering over it does not show any link.

Would you be willing to look directly at the attachment in one of my earlier posts? Maybe I'm missing something?

[TonyCummins]

2 hours ago, Mark_Albrosco said:

Below is an image of the only area that contains any links in the email - hovering over the URLs shows a link that matches the hypertext (so it's not a redirect to a bad site). The section above the contact info, is an image - hovering over it does not show any link.

Would you be willing to look directly at the attachment in one of my earlier posts? Maybe I'm missing something?

Hi Mark,

I'm no expert but i think whats happening with that email is that there are  "tracking" url's embedded in the email associated with that gnway domain. As soon as the email is opened it tries to pull the blank image to show it was opened. As soon as the mail is opened malwarebytes picks up the gnway parent domain and alerts you.

 

<img alt="" src="http://onlykem.gnway.cc:6060/mailTrack?trackCode=QHQ913p6-201809246115858102" style="display:none"></div>
<img alt="" src="http://onlykem.gnway.cc:6060/mailTrack?trackCode=ng9115S4-201809253135548505" style="display:none"></div>
<img alt="" src="http://onlykem.gnway.cc:6060/mailTrack?trackCode=267K13dg-201809254163115188" style="display:none"></div>
<img alt="" src="http://onlykem.gnway.cc:6060/mailTrack?trackCode=Y8y085zK-201811310161302596" style="display:none"></div>
<img alt="" src="http://onlykem.gnway.cc:6060/mailTrack?trackCode=6n646BVh-201811316135019799" style="display:none"></div>
<img alt="" src="http://onlykem.gnway.cc:6060/mailTrack?trackCode=75h10c11-201811318181622204" style="display:none"></div>
<img alt="" src="http://onlykem.gnway.cc:6060/mailTrack?trackCode=09A96795-201811320173828967" style="display:none"></div>

 

[Mark_Albrosco]

Wow...thanks Tony - I've alerted the sender to what we've been experiencing. 

I'm guessing even the sender is unaware of that tracking mechanism embedded in the image.

Should I recommend that they remove the image as it has been identified as the source of the issue?

[TonyCummins]

I'd wait until someone more knowledgeable chimes in   But to me it looks like the original sender wanted to know if / when the email was opened / read, kinda like the read receipt you can turn on in outlook. Instead they used a blank image to track that info, unfortunately for you the image is on a domain that malware bytes does not like. Maybe @Zynthesist can confirm for you as id hate to give you false information

[Mark_Albrosco]

Completely understandable TonyCummins  ...I shall wait for Zynthesist to add his "two cents". Cheers.