On Wed, 9 May 2018, Alex wrote:
Hi,
Hi,
Does anyone have any special techniques for catching these invoice phish
emails?
https://pastebin.com/raw/TfvhUu0X
I've added a few body rules, and even despite training previous
similar messages as spam, they continue. These emails very closely
resemble legitimate email regarding invoices that purchasing people
fall for them all the time.
Senderscore greater than 90, and routed through O365.
The domain is no longer defined in DNS, but even the x-originating-ip
is not currently listed on any RBL.
Hmmm.
"attached" + "invoice" + no actual attachments? A download URL ain't an
attachment...
Turns out "attach" appears in headers which are apparently processed
by body rules:
body __LOC_BODY_ATTACH /.*attach.*/i
I've set it with the asterisks to include the full output in a rule
hit to identify where exactly it's hitting. In this case it hits on
"X-MS-Has-Attach: yes"
Why is this body rule hitting on a header? I thought only Subject was
considered part of the body?
I can't duplicate that here, "body" does not hit on headers.
Subject is included in the body, but *not* the "Subject:" part...
Does your test message have a inline attachment? Are you sure it's
properly-formed?
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
The ["assault weapons"] ban is the moral equivalent of banning red
cars because they look too fast. -- Steve Chapman, Chicago Tribune
-----------------------------------------------------------------------
405 days since the first commercial re-flight of an orbital booster (SpaceX)
