Re: More outlook phish

Fri, 08 Jun 2018 14:09:00 -0700 

On 06/08/2018 03:17 PM, Alex wrote:

Hi,

Received this one today that was delivered to about 25 recipients,
lacked a To header, routed through outlook.com and contained a link to
a Google Drive doc that's still active.

https://pastebin.com/y1k0LtM1

It was done under the pretense of a ShareFile attachment.

Is a plugin necessary to tag on when the Subject matches content in the From?

I've created some body rules, and tweaked my existing outlook.com
rules, but I thought everyone should see this, and thought others
might have additional ideas for blocking...




Content analysis details:   (5.8 points, 5.0 required)

 pts rule name              description
---- ---------------------- -------------------------------------------------- 
-0.0 SPF_HELO_PASS          SPF: HELO matches SPF record
 2.2 MISSING_HEADERS        Missing To: header
 0.0 T_KAM_HTML_FONT_INVALID BODY: Test for Invalidly Named or Formatted
                            Colors in HTML
-3.2 BAYES_00               BODY: Bayes spam probability is 0 to 1%
                            [score: 0.0000]
 0.0 HTML_MESSAGE           BODY: HTML included in message
 0.0 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar or identical to
                            background
 1.9 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
                            [cf: 100]
 0.9 RAZOR2_CHECK           Listed in Razor2 (http://razor.sf.net/)
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid 
 0.2 ENA_NOT_DKIM_VALID_AU  DKIM signed and valid but not from the
                            originating author
 1.2 KAM_SHORT              Use of a URL Shortener for very short URL
0.2 ENA_NO_TO_CC No To: or Cc: so it must have been completely Bcc'd 
 0.2 ENA_FREEMAIL           No description available.
2.2 ENA_DIGEST_FREEMAIL Freemail account hitting message digest spam seen 
                             by the Internet (DCC, Pyzor, or Razor).
Reminder that I treat all senders on Office 365 as FREEMAIL (commonly abused senders) which gets penalized with meta rules to amplify many scores. If something comes from Office 365 with no To: or Cc: header with a URL shortener that should be very suspicious. I need to add another meta rule that combines ENA_FREEMAIL and KAM_SHORT to add a couple more points. 

--
David Jones

Reply via email to