Hex Coded attachment - how to block ? RSS



I got a very new scam email today where the body is just test and the attachment is .html file.

Html file has HEX Coded content / script which I assume will be decoded by the browser and then browser will run decoded content.

Here is the html file : https://pastebin.com/x7LYSVNf

Can you suggest how can I block this content except by blocking attachment extension ?

by tomasz.sokolowski 6 months ago

Hello Tomasz,

The script is obfuscated code that builds a fake (RBC Royal Bank) login page which is then rendered by the browser, so the code is not malicious in itself, but it could trick someone into handing over their login credentials nonetheless. Typically these kind of emails are blocked by ORF's automated test, so in the first round I would suggest that you send us the ORF configuration file (orfent.ini) and your ORF logs (stored with .log extension) for a review to see whether you should change anything. The requested files are located in the ORF program directory by default (Program Files (x86)\ORF Fusion).

by Daniel Novak (Vamsoft) 6 months ago

Hi Daniel,
My ORF setup stops plenty of spam, scam and phishing attempts but this one has sneaked past its radar :)

It was also sent from proeper email relay which had good reputation.

I will send you the files and mention this forum tread.

Thanks for the reply!

by tomasz.sokolowski 6 months ago

@tomasz.sokolowski: Hello Tomasz,

Thanks, I have received your email and sent you a few configuration tips already. Let me know if you receive anymore of these phishing emails and we will continue the investigation.

by Daniel Novak (Vamsoft) 6 months ago
(in reply to this post)

New comment

Fill in the form below to add a new comment. All fields are required. If you are a registered user on our site, please sign in first.

Email address (will not be published):
Your comment:

ORF Technical Support

Configuring, installing and troubleshooting ORF.

News & Announcements

Your dose of ORF-related news and announcements.

Everything but ORF

Discuss Exchange and system administration with fellow admins.

Feature Test Program

Feature Test Program discussion. Membership is required to visit this forum.

ORF Beta

Join the great bug hunt of the latest test release.

Customer Service

Stay Informed