More outlook phish

classic Classic list List threaded Threaded
23 messages Options
12
Reply | Threaded
Open this post in threaded view
|

More outlook phish

Alex Regan
Hi,

Received this one today that was delivered to about 25 recipients,
lacked a To header, routed through outlook.com and contained a link to
a Google Drive doc that's still active.

https://pastebin.com/y1k0LtM1

It was done under the pretense of a ShareFile attachment.

Is a plugin necessary to tag on when the Subject matches content in the From?

I've created some body rules, and tweaked my existing outlook.com
rules, but I thought everyone should see this, and thought others
might have additional ideas for blocking...
Reply | Threaded
Open this post in threaded view
|

Re: More outlook phish

John Hardin
On Fri, 8 Jun 2018, Alex wrote:

> Is a plugin necessary to tag on when the Subject matches content in the From?

No, you can do a header rule that matches multiple headers that way. The
problem is there's no guarantee the order the headers appear, so it would
require multiple rules or have incomplete coverage if it's not possible to
express it correctly in both directions.

See for example __SUBJ_HAS_FROM_1 in my sandbox.


--
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  [hidden email]    FALaholic #11174     pgpk -a [hidden email]
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Reply | Threaded
Open this post in threaded view
|

Re: More outlook phish

Rupert Gallagher
In reply to this post by Alex Regan
You did well in noting the lack of the To header. Just raise its score to 5.0. 

Sent from ProtonMail Mobile


On Fri, Jun 8, 2018 at 22:17, Alex <[hidden email]> wrote:
Hi, Received this one today that was delivered to about 25 recipients, lacked a To header, routed through outlook.com and contained a link to a Google Drive doc that's still active. https://pastebin.com/y1k0LtM1 It was done under the pretense of a ShareFile attachment. Is a plugin necessary to tag on when the Subject matches content in the From? I've created some body rules, and tweaked my existing outlook.com rules, but I thought everyone should see this, and thought others might have additional ideas for blocking...
Reply | Threaded
Open this post in threaded view
|

Re: More outlook phish

David Jones
In reply to this post by Alex Regan
On 06/08/2018 03:17 PM, Alex wrote:

> Hi,
>
> Received this one today that was delivered to about 25 recipients,
> lacked a To header, routed through outlook.com and contained a link to
> a Google Drive doc that's still active.
>
> https://pastebin.com/y1k0LtM1
>
> It was done under the pretense of a ShareFile attachment.
>
> Is a plugin necessary to tag on when the Subject matches content in the From?
>
> I've created some body rules, and tweaked my existing outlook.com
> rules, but I thought everyone should see this, and thought others
> might have additional ideas for blocking...
>


Content analysis details:   (5.8 points, 5.0 required)

  pts rule name              description
---- ----------------------
--------------------------------------------------
-0.0 SPF_HELO_PASS          SPF: HELO matches SPF record
  2.2 MISSING_HEADERS        Missing To: header
  0.0 T_KAM_HTML_FONT_INVALID BODY: Test for Invalidly Named or Formatted
                             Colors in HTML
-3.2 BAYES_00               BODY: Bayes spam probability is 0 to 1%
                             [score: 0.0000]
  0.0 HTML_MESSAGE           BODY: HTML included in message
  0.0 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar or identical to
                             background
  1.9 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
                             [cf: 100]
  0.9 RAZOR2_CHECK           Listed in Razor2 (http://razor.sf.net/)
-0.1 DKIM_VALID             Message has at least one valid DKIM or DK
signature
  0.1 DKIM_SIGNED            Message has a DKIM or DK signature, not
necessarily valid
  0.2 ENA_NOT_DKIM_VALID_AU  DKIM signed and valid but not from the
                             originating author
  1.2 KAM_SHORT              Use of a URL Shortener for very short URL
  0.2 ENA_NO_TO_CC           No To: or Cc: so it must have been
completely Bcc'd
  0.2 ENA_FREEMAIL           No description available.
  2.2 ENA_DIGEST_FREEMAIL    Freemail account hitting message digest
spam seen
                              by the Internet (DCC, Pyzor, or Razor).


Reminder that I treat all senders on Office 365 as FREEMAIL (commonly
abused senders) which gets penalized with meta rules to amplify many
scores.  If something comes from Office 365 with no To: or Cc: header
with a URL shortener that should be very suspicious.  I need to add
another meta rule that combines ENA_FREEMAIL and KAM_SHORT to add a
couple more points.

--
David Jones
Reply | Threaded
Open this post in threaded view
|

Re: More outlook phish

Alex Regan
Hi,

>  2.2 ENA_DIGEST_FREEMAIL    Freemail account hitting message digest spam

It didn't hit any digests when it was received.

> Reminder that I treat all senders on Office 365 as FREEMAIL (commonly abused
> senders) which gets penalized with meta rules to amplify many scores.  If
> something comes from Office 365 with no To: or Cc: header with a URL
> shortener that should be very suspicious.  I need to add another meta rule
> that combines ENA_FREEMAIL and KAM_SHORT to add a couple more points.

Almost missed that one; thanks as always.

Is O365 any worse than all other freemail senders? Maybe they should
be penalized as well...
Reply | Threaded
Open this post in threaded view
|

Re: More outlook phish

RW-15
In reply to this post by John Hardin
On Fri, 8 Jun 2018 13:38:47 -0700 (PDT)
John Hardin wrote:

> On Fri, 8 Jun 2018, Alex wrote:
>
> > Is a plugin necessary to tag on when the Subject matches content in
> > the From?  
>
> No, you can do a header rule that matches multiple headers that way.
> The problem is there's no guarantee the order the headers appear, so
> it would require multiple rules or have incomplete coverage if it's
> not possible to express it correctly in both directions.

It can be done if you capture inside a lookahead. For example:


body  X_EQUALS_Y   /^(?=.*X=(\d+)\b).*Y=\1\b/


will match on the strings

   'let X=9 and Y=9'
or
   'let Y=9 and X=9'

but not on

   'let X=4 and Y=9'
 

Reply | Threaded
Open this post in threaded view
|

Re: More outlook phish

Grant Taylor
On 06/08/2018 05:36 PM, RW wrote:
> It can be done if you capture inside a lookahead. For example:

Intriguing.

> body  X_EQUALS_Y   /^(?=.*X=(\d+)\b).*Y=\1\b/

Can I ask that you unpack that Regular Expression?  Please.

I'm apparently too rusty to unpack it myself.

> will match on the strings
>
>     'let X=9 and Y=9'
> or
>     'let Y=9 and X=9'

That makes sense and is desirable.

> but not on
>
>     'let X=4 and Y=9'

That is to be expected.



--
Grant. . . .
unix || die


smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: More outlook phish

John Hardin
On Fri, 8 Jun 2018, Grant Taylor wrote:

> On 06/08/2018 05:36 PM, RW wrote:
>> It can be done if you capture inside a lookahead. For example:
>
> Intriguing.

Indeed.

>> body  X_EQUALS_Y   /^(?=.*X=(\d+)\b).*Y=\1\b/
>
> Can I ask that you unpack that Regular Expression?  Please.
>
> I'm apparently too rusty to unpack it myself.

Apparently:  (?=...) is true if it matches anywhere after that point, but
it is a zero width assertion. So it matches if it occurs in the ".*" prior
to the Y bit, and it also matches if it occurs *after* the Y bit. The cool
part is it includes a capture, so it will pull out matching text before
*or* after the Y bit that can be used in the rest of the expression...

Learn something new every day.

I will have to play with that and see if I can simplify some of my
multiple-header-match rules and get from-in-subj to work regardless of the
header order.

Thanks!

--
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  [hidden email]    FALaholic #11174     pgpk -a [hidden email]
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
   A superior gunman is one who uses his superior judgment to keep
   himself out of situations that would require the use of his
   superior skills.
-----------------------------------------------------------------------
  435 days since the first commercial re-flight of an orbital booster (SpaceX)
Reply | Threaded
Open this post in threaded view
|

Re: More outlook phish

Rupert Gallagher
In reply to this post by David Jones

On Fri, Jun 8, 2018 at 23:05, David Jones <[hidden email]> wrote:

> 2.2 MISSING_HEADERS Missing To: header

The fillowing is all one needs.

5.0 MISSING_HEADERS Missing To: header

Remember that e-mail is mail after all.


Reply | Threaded
Open this post in threaded view
|

Re: More outlook phish

PeterD


>On Saturday, June 9, 2018, 8:03:31 AM GMT+2, Rupert Gallagher <[hidden email]> wrote:

>On Fri, Jun 8, 2018 at 23:05, David Jones <[hidden email]> wrote:

> 2.2 MISSING_HEADERS Missing To: header

>The fillowing is all one needs.

>5.0 MISSING_HEADERS Missing To: header

>Remember that e-mail is mail after all.



The To: header may not exist in Outlook if all recipients where in BCC and the original To: is company internal...

----
Pedro




Reply | Threaded
Open this post in threaded view
|

Re: More outlook phish

David Jones
On 06/09/2018 07:08 AM, Pedro David Marco wrote:

>
>
>  >On Saturday, June 9, 2018, 8:03:31 AM GMT+2, Rupert Gallagher
> <[hidden email]> wrote:
>
>  >On Fri, Jun 8, 2018 at 23:05, David Jones <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>> 2.2 MISSING_HEADERS Missing To: header
>
>>The fillowing is all one needs.
>
>>5.0 MISSING_HEADERS Missing To: header
>
>>Remember that e-mail is mail after all.
>
>
>
> The To: header may not exist in Outlook if all recipients where in BCC
> and the original To: is company internal...
>

Email etiquette and best practices recommend putting your own email
address in the To: if there are no other addresses in the To: when
Bcc'ing.  This protects the privacy of all recipients and handles the
Reply-To-All situation well.

Leaving the To: empty looks very spammy to many mail filters so I try to
educate senders when I come across these situations to help them get the
best delivery results to the Internet.  Internally that may be fine.

--
David Jones
Reply | Threaded
Open this post in threaded view
|

Re: More outlook phish

John Hardin
In reply to this post by PeterD
On Sat, 9 Jun 2018, Pedro David Marco wrote:

> >On Saturday, June 9, 2018, 8:03:31 AM GMT+2, Rupert Gallagher <[hidden email]> wrote:
> >On Fri, Jun 8, 2018 at 23:05, David Jones <[hidden email]> wrote:
>  > 2.2 MISSING_HEADERS Missing To: header
>  >The fillowing is all one needs.
>  >5.0 MISSING_HEADERS Missing To: header
>
>  >Remember that e-mail is mail after all.
>
> The To: header may not exist in Outlook if all recipients where in BCC and the original To: is company internal...
> ----Pedro
Sigh. MSFT can't even get "To: Undisclosed Recipients" correct.

--
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  [hidden email]    FALaholic #11174     pgpk -a [hidden email]
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
   I'll have that son of a bitch eating out of dumpsters in less than
   two years.       -- MS CEO Steve Ballmer, on RedHat CEO Matt Szulik
-----------------------------------------------------------------------
  436 days since the first commercial re-flight of an orbital booster (SpaceX)
Reply | Threaded
Open this post in threaded view
|

Re: More outlook phish

Alex Regan
Hi,

On a somewhat related note, I just noticed one of our customers have
listed spf.protection.outlook.com in their SPF record:

bestwesternnwcc.com.    600     IN      TXT     "v=spf1
include:spf.protection.outlook.com -all"

Doesn't this amount to thousands of IP addresses that could
conceivably be used to spoof any other domain that's "hosted" using
one of those IPs?

This is apparently the recommended config according to MS:
https://technet.microsoft.com/en-us/library/dn789058(v=exchg.150).aspx

>   I'll have that son of a bitch eating out of dumpsters in less than
>   two years.       -- MS CEO Steve Ballmer, on RedHat CEO Matt Szulik

omg, that's hilarious.
Reply | Threaded
Open this post in threaded view
|

Re: More outlook phish

David Jones
On 06/09/2018 01:28 PM, Alex wrote:

> Hi,
>
> On a somewhat related note, I just noticed one of our customers have
> listed spf.protection.outlook.com in their SPF record:
>
> bestwesternnwcc.com.    600     IN      TXT     "v=spf1
> include:spf.protection.outlook.com -all"
>
> Doesn't this amount to thousands of IP addresses that could
> conceivably be used to spoof any other domain that's "hosted" using
> one of those IPs?
>

You are correct.  We saw a spoofed toysrus.com email from a compromised
account on Office 365 posted on this mailing list in the last year
sometime.  That means that someone can easily send a fake email from
O365 and pass SPF checks if Microsoft doesn't properly detect/prevent this.

I recall another thread on this list that said Microsoft forces webmail
and native Outlook clients to send within their own domain/organization
but I am pretty sure an AUTH SMTP client (i.e. Thunderbird, Apple Mail,
etc.) can specify an envelope-from domain outside of their own
domain/org.  Maybe MS has blocked this recently but I know I have seen
this in the wild a year or two ago.

The best thing to do is get DKIM signing setup on your own domains and
try to move toward DMARC p=reject to prevent spoofing.  This primarily
needs to be done by high profile domains first that are common
candidates to be spoofed.  I doubt that anyone would really want to
spoof ena.com on a large scale but bestwesternnwcc.com could be valuable
to spoof.

--
David Jones
Reply | Threaded
Open this post in threaded view
|

Re: More outlook phish

PeterD
I agree with David Jones that DKIM is helpful in here BUT i see oftently MS switching the order of headers whimsically...

----
Pedro
Reply | Threaded
Open this post in threaded view
|

Re: More outlook phish

Jim Knuth
In reply to this post by Rupert Gallagher
am 09.06.18, 08:03 schrieb Rupert Gallagher <[hidden email]>:

>
> On Fri, Jun 8, 2018 at 23:05, David Jones <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>> 2.2 MISSING_HEADERS Missing To: header
>
> The fillowing is all one needs.
>
> 5.0 MISSING_HEADERS Missing To: header


Sorry, but I cannot find ... ;) In which file
is that?

--
Mit freundlichem Gruß,
With kind regard,
Jamie Katharina Knuth
Reply | Threaded
Open this post in threaded view
|

Re: More outlook phish

Grant Taylor
In reply to this post by PeterD
On 06/09/2018 02:24 PM, Pedro David Marco wrote:
> I agree with David Jones that DKIM is helpful in here BUT i see oftently
> MS switching the order of headers whimsically...

I don't think the order of the headers matters as long as the contents
of the header aren't changed.

Note:  White space (re)wrapping counts as changing the contents.



--
Grant. . . .
unix || die
Reply | Threaded
Open this post in threaded view
|

Re: More outlook phish

Benny Pedersen-2
In reply to this post by Alex Regan
Alex skrev den 2018-06-09 20:28:

> bestwesternnwcc.com.    600     IN      TXT     "v=spf1
> include:spf.protection.outlook.com -all"

> omg, that's hilarious.

https://dmarcian.com/spf-survey/?domain=bestwesternnwcc.com

if all ips have sasl auth with a single backend to make it password
protected its not possible to spoof if all i setup correct, but thats
not simple white or black, with so many ips, there can still be one that
fails messerable
Reply | Threaded
Open this post in threaded view
|

Re: More outlook phish

Matus UHLAR - fantomas
In reply to this post by Alex Regan
On 09.06.18 14:28, Alex wrote:
>On a somewhat related note, I just noticed one of our customers have
>listed spf.protection.outlook.com in their SPF record:
>
>bestwesternnwcc.com.    600     IN      TXT     "v=spf1
>include:spf.protection.outlook.com -all"
>
>Doesn't this amount to thousands of IP addresses that could
>conceivably be used to spoof any other domain that's "hosted" using
>one of those IPs?

I believe M$ requires users to be authenticated within the domain before
they are allowed to send using your domain.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Posli tento mail 100 svojim znamim - nech vidia aky si idiot
Send this email to 100 your friends - let them see what an idiot you are
Reply | Threaded
Open this post in threaded view
|

Re: More outlook phish

Grant Taylor
On 06/10/2018 12:02 PM, Matus UHLAR - fantomas wrote:
> I believe M$ requires users to be authenticated within the domain before
> they are allowed to send using your domain.

Is that authenticating to the MS SMTP server with any recognized
account?  Or specifically associated with the purported sending domain?



--
Grant. . . .
unix || die
12