Re: [clamav-users] Be wary of emails with attachments targeting clamav-users list members

[Al Varnell via clamav-users]

Just a note that in my experience, e-mail phishing detection is routinely 
disabled, perhaps because of excessive false positives, but also because 
signature maintenance appears to be a low priority.

Sent from my iPad

-Al-

On Mar 22, 2023, at 10:44, newcomer01 via clamav-users 
 wrote:
> Hi Paul,
> 
> yes, submit all files. Maybe ClamAV need different Phising - Sigs for each 
> file or something ...
> For my submitted file, ClamAV currently not warn ...
> 
> kind greetings
> Marc
> 
> 
> Von / From: Clamav User Mailinglist 
> An / To: Newcomer01 
> CC / CC: Paul Kosinski 
> Gesendet / Sent: Mittwoch, März 22, 2023 um 18:35 (at 06:35 PM) +0100
> Betreff / Subject: Re: [clamav-users] Be wary of emails with attachments 
> targeting clamav-users list members
>> I have just started getting these claiming to be relevant to ClamAV, but I 
>> have *also* been receiving this sort of thing claiming to be from the 
>> Firefox ESR list for months now.
>> 
>> I am posting (one of) the HTMLs "about" ClamAV to 
>> https://www.clamav.net/reports/malware. Should I also post (one of) the 
>> Firefox phishes? (In fact, I have several of each, but it quickly gets 
>> tedious.)
>> 
>> 
>> 
>>> On Wed, 22 Mar 2023 16:48:32 +
>>> "Micah Snyder \(micasnyd\) via clamav-users" 
>>>  wrote:
>>> 
>>> All,
>>> 
>>> Some users have reported receiving emails that appear to be a reply to a 
>>> clamav-users mailing list thread but are in fact a phishing attempt have 
>>> attached malware.
>>> 
>>> Most recently, Marc reported receiving an email that appeared to be a reply 
>>> to an older clamav-users mailing list thread but was in fact a direct email 
>>> targeting him.  It had this fairly generic phishing text:
>>> 
>>> "Would you please look through the last agreement? I have attached some 
>>> extra details about it."
>>> 
>>> The attached file was some small HTML file containing malicious obfuscated 
>>> javascript.
>>> 
>>> This isn't the first time we've heard of this type of phishing using our 
>>> mailing list archives. Please be careful when you see any sort of 
>>> attachment, even if it appears to be from this community.
>>> 
>>> If you receive this sort of phishing email, please report the attached HTML 
>>> file to https://www.clamav.net/reports/malware
>>> 
>>> Regards,
>>> Micah
>>> 
>>> 
>>> 
>>> Micah Snyder
>>> ClamAV Development
>>> Talos
>>> Cisco Systems, Inc.
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Be wary of emails with attachments targeting clamav-users list members

[Steve Basford via clamav-users]

The attached file was some small HTML file containing malicious obfuscated 
javascript.


Just to note that at my workplace 1 user received a similar email, using 
older email threads to make it look convincing

and a with a single html attachment.

0/55 av's so far 6 hours after submitting..

In case this helps...

https://www.virustotal.com/gui/file/8cb4b28d9c452dfa77e8a061791158bb851681550c889e579a0acc4cb0ff2c86

Cheers,

Steve
Twitter: @sanesecurityhttps://fosstodon.org/@sanesecurity
Sanesecurity.com
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Be wary of emails with attachments targeting clamav-users list members

[newcomer01 via clamav-users]

Hi Paul,

yes, submit all files. Maybe ClamAV need different Phising - Sigs for each file 
or something ...
For my submitted file, ClamAV currently not warn ...

kind greetings
Marc


Von / From: Clamav User Mailinglist 
An / To: Newcomer01 
CC / CC: Paul Kosinski 
Gesendet / Sent: Mittwoch, März 22, 2023 um 18:35 (at 06:35 PM) +0100
Betreff / Subject: Re: [clamav-users] Be wary of emails with attachments 
targeting clamav-users list members

I have just started getting these claiming to be relevant to ClamAV, but I have 
*also* been receiving this sort of thing claiming to be from the Firefox ESR 
list for months now.

I am posting (one of) the HTMLs "about" ClamAV to 
https://www.clamav.net/reports/malware. Should I also post (one of) the Firefox phishes? 
(In fact, I have several of each, but it quickly gets tedious.)



On Wed, 22 Mar 2023 16:48:32 +
"Micah Snyder \(micasnyd\) via clamav-users"  
wrote:


All,

Some users have reported receiving emails that appear to be a reply to a 
clamav-users mailing list thread but are in fact a phishing attempt have 
attached malware.

Most recently, Marc reported receiving an email that appeared to be a reply to 
an older clamav-users mailing list thread but was in fact a direct email 
targeting him.  It had this fairly generic phishing text:

"Would you please look through the last agreement? I have attached some extra 
details about it."

The attached file was some small HTML file containing malicious obfuscated 
javascript.

This isn't the first time we've heard of this type of phishing using our 
mailing list archives. Please be careful when you see any sort of attachment, 
even if it appears to be from this community.

If you receive this sort of phishing email, please report the attached HTML 
file to https://www.clamav.net/reports/malware

Regards,
Micah



Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.

___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat


___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Be wary of emails with attachments targeting clamav-users list members

[Paul Kosinski via clamav-users]

I have just started getting these claiming to be relevant to ClamAV, but I have 
*also* been receiving this sort of thing claiming to be from the Firefox ESR 
list for months now.

I am posting (one of) the HTMLs "about" ClamAV to 
https://www.clamav.net/reports/malware. Should I also post (one of) the Firefox 
phishes? (In fact, I have several of each, but it quickly gets tedious.)



On Wed, 22 Mar 2023 16:48:32 +
"Micah Snyder \(micasnyd\) via clamav-users"  
wrote:

> All,
> 
> Some users have reported receiving emails that appear to be a reply to a 
> clamav-users mailing list thread but are in fact a phishing attempt have 
> attached malware.
> 
> Most recently, Marc reported receiving an email that appeared to be a reply 
> to an older clamav-users mailing list thread but was in fact a direct email 
> targeting him.  It had this fairly generic phishing text:
> 
> "Would you please look through the last agreement? I have attached some extra 
> details about it."
> 
> The attached file was some small HTML file containing malicious obfuscated 
> javascript.
> 
> This isn't the first time we've heard of this type of phishing using our 
> mailing list archives. Please be careful when you see any sort of attachment, 
> even if it appears to be from this community.
> 
> If you receive this sort of phishing email, please report the attached HTML 
> file to https://www.clamav.net/reports/malware
> 
> Regards,
> Micah
> 
> 
> 
> Micah Snyder
> ClamAV Development
> Talos
> Cisco Systems, Inc.
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat