Hex Coded attachment - how to block ? - ORF Forums

Hex Coded attachment - how to block ? RSS Back to forum



I got a very new scam email today where the body is just test and the attachment is .html file.

Html file has HEX Coded content / script which I assume will be decoded by the browser and then browser will run decoded content.

Here is the html file : https://pastebin.com/x7LYSVNf

Can you suggest how can I block this content except by blocking attachment extension ?

by tomasz.sokolowski 11 months ago

Hello Tomasz,

The script is obfuscated code that builds a fake (RBC Royal Bank) login page which is then rendered by the browser, so the code is not malicious in itself, but it could trick someone into handing over their login credentials nonetheless. Typically these kind of emails are blocked by ORF's automated test, so in the first round I would suggest that you send us the ORF configuration file (orfent.ini) and your ORF logs (stored with .log extension) for a review to see whether you should change anything. The requested files are located in the ORF program directory by default (Program Files (x86)\ORF Fusion).

by Daniel Novak (Vamsoft) 11 months ago

Hi Daniel,
My ORF setup stops plenty of spam, scam and phishing attempts but this one has sneaked past its radar :)

It was also sent from proeper email relay which had good reputation.

I will send you the files and mention this forum tread.

Thanks for the reply!

by tomasz.sokolowski 11 months ago

@tomasz.sokolowski: Hello Tomasz,

Thanks, I have received your email and sent you a few configuration tips already. Let me know if you receive anymore of these phishing emails and we will continue the investigation.

by Daniel Novak (Vamsoft) 11 months ago
(in reply to this post)

New comment

Fill in the form below to add a new comment. All fields are required. If you are a registered user on our site, please sign in first.

It will not be published.
hnp1 | hnp2