Subj : another one phishing for a bite
To   : mark lewis
From : August Abolins
Date : Tue Mar 31 2020 08:33 pm

Hello mark!

** 31.03.20 - 18:30, mark lewis wrote to August Abolins:

 AA>>>> (but I obscured a few things here with #### so no one inadvertently
 AA>>>> clicks on a link):

 ml>>>just change http to hxxp or similar ;)

 AA>> Six or one half dozen of the other.  :)

 ml>not really because now others of us cannot look up that information and
 ml>set blocks or filters in our IDS/IPS ;)

Oh..  I see.  Good point.  But couldn't http://march262020.* work in a  
filter?

But, FYI, replace "####" with "club".   No point keeping it a secret if  
the goal is to help protect others.

BTW, although it is far easier to just drop the phishing email/attachment  
with the delete key, we can parse the file, extract the clear-text and  
share the http:// strings found therein.

Obviously, the macro in the original .xls file relied on Excel functions  
to run a macro to fetch a bot from a website and launch the payload.


  ../|ug

--- OpenXP 5.0.43
 * Origin: /|ug's Point, Ont. CANADA (2:221/1.58)

.