Jump to content
Mark_Albrosco

Email with link to blocked site

Recommended Posts

Malwarebytes Cloud Protection reported a blocked website for one of my users.

Investigation revealed that the user did not browse to the site, but an email received from a supplier contact when opened in the preview pane of Outlook Web Access immediately results in a series of popups from Malwarebytes Endpoint Protection as below:

image.png.d75f668d02283196b0b59a1f40ebe23a.png

I checked the URL using

 virustotal.com 

and the results were as follows:

image.png.42f470262546ace04d670bb6d8a27ecb.png

I've attached a zip file containing the email - I'd like it to be analyzed so that I can report what is causing the email to attempt to make an outbound connection. I also intend to contact our supplier and alert them to this issue, so that they can take appropriate action

Mark.

Email-CrossBrowser-blocked.zip

Share this post


Link to post
Share on other sites

I mistakenly posted that request when it was to be an Administration Flag for action.  I deleted the post and Flagged the thread to be moved by the Forum Admin.

My apology for any confusion that action may have caused.   blush2.gif.41557149db5a33debaf6029da3fbd999.gif

Share this post


Link to post
Share on other sites

I'm sorry that no staff has replied to your topic.  Maybe a "bump" is in order.

Ping @djacobson

Edited by David H. Lipman

Share this post


Link to post
Share on other sites

We are not blocking the hostname from your block but we are blocking the parent:

*.gnway.cc

Block is for Trojan.XLoader.FakeSpy

One blocked example here:

https://houtaijp.gnway.cc/


https://www.virustotal.com/#/url/39e40a8b0909bb622f270b464268b2f6364a7678839a8b740bb42d5a7dd6d78c/detection

 

Share this post


Link to post
Share on other sites

Thanks Zynthesist - the host (onlykem) is a supplier; users get email from them on occasion.

As soon as the email is opened, the user receives "blocked site" notifications.

They haven't clicked any links in the email, so I'm having trouble understanding what about the email is causing the attempts to launch the site.

I'm suspecting maybe the images in the signature line, or something of that nature, might be the culprit? But I was hoping Malwarebytes Labs could confirm

Maybe I should inform the supplier of the experience?

Share this post


Link to post
Share on other sites

Below is an image of the only area that contains any links in the email - hovering over the URLs shows a link that matches the hypertext (so it's not a redirect to a bad site). The section above the contact info, is an image - hovering over it does not show any link.

Would you be willing to look directly at the attachment in one of my earlier posts? Maybe I'm missing something?

image.png.7d14d35213b294c02435d3ec1ea30eb9.png

Share this post


Link to post
Share on other sites
2 hours ago, Mark_Albrosco said:

Below is an image of the only area that contains any links in the email - hovering over the URLs shows a link that matches the hypertext (so it's not a redirect to a bad site). The section above the contact info, is an image - hovering over it does not show any link.

Would you be willing to look directly at the attachment in one of my earlier posts? Maybe I'm missing something?

image.png.7d14d35213b294c02435d3ec1ea30eb9.png

Hi Mark,

I'm no expert but i think whats happening with that email is that there are  "tracking" url's embedded in the email associated with that gnway domain. As soon as the email is opened it tries to pull the blank image to show it was opened. As soon as the mail is opened malwarebytes picks up the gnway parent domain and alerts you.

 

<img alt="" src="http://onlykem.gnway.cc:6060/mailTrack?trackCode=QHQ913p6-201809246115858102" style="display:none"></div>
<img alt="" src="http://onlykem.gnway.cc:6060/mailTrack?trackCode=ng9115S4-201809253135548505" style="display:none"></div>
<img alt="" src="http://onlykem.gnway.cc:6060/mailTrack?trackCode=267K13dg-201809254163115188" style="display:none"></div>
<img alt="" src="http://onlykem.gnway.cc:6060/mailTrack?trackCode=Y8y085zK-201811310161302596" style="display:none"></div>
<img alt="" src="http://onlykem.gnway.cc:6060/mailTrack?trackCode=6n646BVh-201811316135019799" style="display:none"></div>
<img alt="" src="http://onlykem.gnway.cc:6060/mailTrack?trackCode=75h10c11-201811318181622204" style="display:none"></div>
<img alt="" src="http://onlykem.gnway.cc:6060/mailTrack?trackCode=09A96795-201811320173828967" style="display:none"></div>

 

Share this post


Link to post
Share on other sites

Wow...thanks Tony - I've alerted the sender to what we've been experiencing. 

I'm guessing even the sender is unaware of that tracking mechanism embedded in the image.

Should I recommend that they remove the image as it has been identified as the source of the issue?

Share this post


Link to post
Share on other sites

I'd wait until someone more knowledgeable chimes in :)  But to me it looks like the original sender wanted to know if / when the email was opened / read, kinda like the read receipt you can turn on in outlook. Instead they used a blank image to track that info, unfortunately for you the image is on a domain that malware bytes does not like. Maybe @Zynthesist can confirm for you as id hate to give you false information :)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.