Quarantine all PDFs for the time being, and manually review. Implement strict SPF checking - reject any that fail.
Investigate implementing DMARC. Kurt On Fri, Oct 6, 2017 at 7:00 AM, Rimmel, Carl <[email protected]> wrote: > Yes, we use Proofpoint. It has done a great job and will quarantine these > messages once they get classified. We are dealing with very targeted > zero-day type PHISHing (our last round were messages composed to look like > they were sent by our CEO - with his signature and inline photo). The > payload was an attached PDF with the image having an embedded malicious URL. > > -----Original Message----- > From: [email protected] [mailto:[email protected]] > On Behalf Of Kurt Buff > Sent: Thursday, October 05, 2017 11:18 AM > To: [email protected] > Subject: Re: [Exchange] PDF Spam > > No external spam filter? With quarantine? > > Kurt > > On Thu, Oct 5, 2017 at 7:55 AM, Rimmel, Carl <[email protected]> wrote: >> We have been seeing an uptick in SPAM containing PDF attachments. The >> PDFs are composed of a full-page image that, when moused-over, points >> to a malicious web site. We have tried to use Transport Rules to >> block these based on the moused-over URL but Exchange seems unable to >> properly detect these embedded URLs. We are able to use Transport >> Rules to block PDFs with plain text so we know that the server is inspecting >> them properly. >> >> >> >> Any ideas on how to battle these pesky messages? > > > > ________________________________ > > CONFIDENTIALITY NOTICE: This email contains information from the sender that > may be CONFIDENTIAL, LEGALLY PRIVILEGED, PROPRIETARY or otherwise protected > from disclosure. This email is intended for use only by the person or entity > to whom it is addressed. If you are not the intended recipient, any use, > disclosure, copying, distribution, printing, or any action taken in reliance > on the contents of this email, is strictly prohibited. If you received this > email in error, please contact the sending party by reply email, delete the > email from your computer system and shred any paper copies. > > Note to Patients: There are a number of risks you should consider before > using e-mail to communicate with us. See our Privacy & Security page on > www.henryford.com for more detailed information as well as information > concerning MyChart, our new patient portal. If you do not believe that our > policy gives you the privacy and security protection you need, do not send > e-mail or Internet communications to us.
