Schadenfreude is one of my favorite pastimes... Kurt
On Sun, Oct 8, 2017 at 8:35 PM, Andrew S. Baker <[email protected]> wrote: > Most won't understand that until it happens to them. Until then, it's > someone else's problem... > > On Oct 7, 2017 7:12 PM, "Kurt Buff" <[email protected]> wrote: >> >> Yep. >> >> They need to understand what it costs to have Brian Krebs call and >> interview them about their impressive shiny new breach. >> >> Kurt >> >> On Sat, Oct 7, 2017 at 3:43 PM, Richard Stovall <[email protected]> wrote: >> > Massive potential pushback from mgmt on manual review. Just sayin'. >> > >> > On Fri, Oct 6, 2017 at 11:51 AM, Kurt Buff <[email protected]> wrote: >> >> >> >> Quarantine all PDFs for the time being, and manually review. >> >> >> >> Implement strict SPF checking - reject any that fail. >> >> >> >> Investigate implementing DMARC. >> >> >> >> Kurt >> >> >> >> On Fri, Oct 6, 2017 at 7:00 AM, Rimmel, Carl <[email protected]> wrote: >> >> > Yes, we use Proofpoint. It has done a great job and will quarantine >> >> > these messages once they get classified. We are dealing with very >> >> > targeted >> >> > zero-day type PHISHing (our last round were messages composed to look >> >> > like >> >> > they were sent by our CEO - with his signature and inline photo). >> >> > The >> >> > payload was an attached PDF with the image having an embedded >> >> > malicious URL. >> >> > >> >> > -----Original Message----- >> >> > From: [email protected] >> >> > [mailto:[email protected]] On Behalf Of Kurt Buff >> >> > Sent: Thursday, October 05, 2017 11:18 AM >> >> > To: [email protected] >> >> > Subject: Re: [Exchange] PDF Spam >> >> > >> >> > No external spam filter? With quarantine? >> >> > >> >> > Kurt >> >> > >> >> > On Thu, Oct 5, 2017 at 7:55 AM, Rimmel, Carl <[email protected]> >> >> > wrote: >> >> >> We have been seeing an uptick in SPAM containing PDF attachments. >> >> >> The >> >> >> PDFs are composed of a full-page image that, when moused-over, >> >> >> points >> >> >> to a malicious web site. We have tried to use Transport Rules to >> >> >> block these based on the moused-over URL but Exchange seems unable >> >> >> to >> >> >> properly detect these embedded URLs. We are able to use Transport >> >> >> Rules to block PDFs with plain text so we know that the server is >> >> >> inspecting them properly. >> >> >> >> >> >> >> >> >> >> >> >> Any ideas on how to battle these pesky messages? >> >> > >> >> > >> >> > >> >> > ________________________________ >> >> > >> >> > CONFIDENTIALITY NOTICE: This email contains information from the >> >> > sender >> >> > that may be CONFIDENTIAL, LEGALLY PRIVILEGED, PROPRIETARY or >> >> > otherwise >> >> > protected from disclosure. This email is intended for use only by the >> >> > person >> >> > or entity to whom it is addressed. If you are not the intended >> >> > recipient, >> >> > any use, disclosure, copying, distribution, printing, or any action >> >> > taken in >> >> > reliance on the contents of this email, is strictly prohibited. If >> >> > you >> >> > received this email in error, please contact the sending party by >> >> > reply >> >> > email, delete the email from your computer system and shred any paper >> >> > copies. >> >> > >> >> > Note to Patients: There are a number of risks you should consider >> >> > before >> >> > using e-mail to communicate with us. See our Privacy & Security page >> >> > on >> >> > www.henryford.com for more detailed information as well as >> >> > information >> >> > concerning MyChart, our new patient portal. If you do not believe >> >> > that our >> >> > policy gives you the privacy and security protection you need, do not >> >> > send >> >> > e-mail or Internet communications to us. >> >> >> >> >> > >> >> >
