Jump to content


New smart Dynamically generated phishing


  • Please log in to reply
No replies to this topic

#1 Xinet Solutions

Xinet Solutions
  • Members
  • 1 posts

Posted 11 June 2019 - 04:11 PM

Hello, we have detected several instances of spam  looking exactly like legit email
they dont contain virus, and they seem to be generated by an script

They look exactly like SAT emails (the Mexican IRS)  the only givaway is that they come from brazil. (but we can't just block a whole country, can we?)...
This is how it looks on mail client
this is the content

Descargar todo como.zip  archivos adjuntos (98kb) <http://unbouncepages.com/training-template-26471027869253355/> 
11/06/2019 17:02:19
se anexa el seguiente comprobante fiscal digital
Remitente: Servicio de Administración Tributaria N-66816155.
Hemos identificado que tienes pendiente de presentar, al 11 de junio de 2019, lo siguiente:
SERIE Y FOLIO: _BME_2019_66816155_6681.

we can't block words like

se anexa el seguiente comprobante fiscal digital



because they mean

"Here is attached the following invoice"


and that is used by ALL the electronic invoices systems in mexico. 

The only words we figured we could block is


Descargar todo como.zip


(means download everything as zip)



We added that to the content filter:  We already started to see blocked fishing with no false positives so far.


But Please notice how MOST of the words are randomly generated, like invoice number, and date, and  how the linked content is just a landing page form, so no virus in the link or attachment, I know this is terribly difficult to block for barracuda or any filtering system for that matter.


so any advice about the content filtering?  

thanks in advance