Symantec has observed a large number of messages coming from william_scott@flexovitportal.com beginning around 12th June at 14:55 UTC. The attack is ongoing but current rules are blocking known variants.
Attack characteristics • Messages come from william_scott@flexovitportal.com • Messages started at around 12th June 15:55 UTC • Subject is “Please review your document Invoice [7 Digit #] for [RECIPIENT DOMAIN]” • Links in the messages are malformed and unusable • Unbroken links go to a doc file infected with W97M.Downloader. Final payload of Trojan.Snifula
Actions taken: • Created URL hash filter • Created URL regex filter • Created header regex filters • Added Single signature rules • Created predictive heuristics • Added AV detections
Recommendations: Any missed messages outside the stated time range should be submitted following the preferred process.