Note: Both client and server are not Windows. The attached file type is a generic "data" on unix. On a Windows client the file runs as executable. A SA rule should merely detect that the file type is a generic "data" file. -------- Original Message -------- On Feb 7, 2023, 11:15, Rupert Gallagher wrote:
> I received a spam with score -1. Well written, looks legit commercial, asking > for a quotation, with details in the attachment, a 3MB file with unknown > extension ".one". > > The file turns out to be a Windows Trojan: > > https://www.virustotal.com/gui/file/f4d587f60f2d34add9f77fcbd8c3c0df3ca51cfaecd9de85c45d25647eaac40b > > Both SA and ClamAV passed it as legit. > > We should have a SA rule that says: "attached file with unknown data type".
