Hex Coded attachment - how to block ? - ORF Forums

Hex Coded attachment - how to block ? RSS Back to forum

1

Hi,

I got a very new scam email today where the body is just test and the attachment is .html file.

Html file has HEX Coded content / script which I assume will be decoded by the browser and then browser will run decoded content.

Here is the html file : https://pastebin.com/x7LYSVNf

Can you suggest how can I block this content except by blocking attachment extension ?

Reply
by tomasz.sokolowski 6 years ago
2

Hello Tomasz,

The script is obfuscated code that builds a fake (RBC Royal Bank) login page which is then rendered by the browser, so the code is not malicious in itself, but it could trick someone into handing over their login credentials nonetheless. Typically these kind of emails are blocked by ORF's automated test, so in the first round I would suggest that you send us the ORF configuration file (orfent.ini) and your ORF logs (stored with .log extension) for a review to see whether you should change anything. The requested files are located in the ORF program directory by default (Program Files (x86)\ORF Fusion).

Reply
by Daniel Novak (Vamsoft) 6 years ago
3

Hi Daniel,
My ORF setup stops plenty of spam, scam and phishing attempts but this one has sneaked past its radar :)

It was also sent from proeper email relay which had good reputation.

I will send you the files and mention this forum tread.

Thanks for the reply!

Reply
by tomasz.sokolowski 6 years ago
4

@tomasz.sokolowski: Hello Tomasz,

Thanks, I have received your email and sent you a few configuration tips already. Let me know if you receive anymore of these phishing emails and we will continue the investigation.

Reply
by Daniel Novak (Vamsoft) 6 years ago
(in reply to this post)

New comment

Fill in the form below to add a new comment. All fields are required. If you are a registered user on our site, please sign in first.

It will not be published.
hnp1 | hnp2