Most won't understand that until it happens to them. Until then, it's someone else's problem...
On Oct 7, 2017 7:12 PM, "Kurt Buff" <[email protected]> wrote: > Yep. > > They need to understand what it costs to have Brian Krebs call and > interview them about their impressive shiny new breach. > > Kurt > > On Sat, Oct 7, 2017 at 3:43 PM, Richard Stovall <[email protected]> wrote: > > Massive potential pushback from mgmt on manual review. Just sayin'. > > > > On Fri, Oct 6, 2017 at 11:51 AM, Kurt Buff <[email protected]> wrote: > >> > >> Quarantine all PDFs for the time being, and manually review. > >> > >> Implement strict SPF checking - reject any that fail. > >> > >> Investigate implementing DMARC. > >> > >> Kurt > >> > >> On Fri, Oct 6, 2017 at 7:00 AM, Rimmel, Carl <[email protected]> wrote: > >> > Yes, we use Proofpoint. It has done a great job and will quarantine > >> > these messages once they get classified. We are dealing with very > targeted > >> > zero-day type PHISHing (our last round were messages composed to look > like > >> > they were sent by our CEO - with his signature and inline photo). The > >> > payload was an attached PDF with the image having an embedded > malicious URL. > >> > > >> > -----Original Message----- > >> > From: [email protected] > >> > [mailto:[email protected]] On Behalf Of Kurt Buff > >> > Sent: Thursday, October 05, 2017 11:18 AM > >> > To: [email protected] > >> > Subject: Re: [Exchange] PDF Spam > >> > > >> > No external spam filter? With quarantine? > >> > > >> > Kurt > >> > > >> > On Thu, Oct 5, 2017 at 7:55 AM, Rimmel, Carl <[email protected]> > wrote: > >> >> We have been seeing an uptick in SPAM containing PDF attachments. > The > >> >> PDFs are composed of a full-page image that, when moused-over, points > >> >> to a malicious web site. We have tried to use Transport Rules to > >> >> block these based on the moused-over URL but Exchange seems unable to > >> >> properly detect these embedded URLs. We are able to use Transport > >> >> Rules to block PDFs with plain text so we know that the server is > >> >> inspecting them properly. > >> >> > >> >> > >> >> > >> >> Any ideas on how to battle these pesky messages? > >> > > >> > > >> > > >> > ________________________________ > >> > > >> > CONFIDENTIALITY NOTICE: This email contains information from the > sender > >> > that may be CONFIDENTIAL, LEGALLY PRIVILEGED, PROPRIETARY or otherwise > >> > protected from disclosure. This email is intended for use only by the > person > >> > or entity to whom it is addressed. If you are not the intended > recipient, > >> > any use, disclosure, copying, distribution, printing, or any action > taken in > >> > reliance on the contents of this email, is strictly prohibited. If you > >> > received this email in error, please contact the sending party by > reply > >> > email, delete the email from your computer system and shred any paper > >> > copies. > >> > > >> > Note to Patients: There are a number of risks you should consider > before > >> > using e-mail to communicate with us. See our Privacy & Security page > on > >> > www.henryford.com for more detailed information as well as > information > >> > concerning MyChart, our new patient portal. If you do not believe > that our > >> > policy gives you the privacy and security protection you need, do not > send > >> > e-mail or Internet communications to us. > >> > >> > > > > >
