Subj : another one phishing for a bite
To   : mark lewis
From : August Abolins
Date : Tue Mar 31 2020 08:33 pm

Hello mark!

** 31.03.20 - 18:30, mark lewis wrote to August Abolins:

AA>>>> (but I obscured a few things here with #### so no one inadvertently
AA>>>> clicks on a link):

ml>>>just change http to hxxp or similar ;)

AA>> Six or one half dozen of the other.  :)

ml>not really because now others of us cannot look up that information and
ml>set blocks or filters in our IDS/IPS ;)

Oh..  I see.  Good point.  But couldn't http://march262020.* work in a
filter?

But, FYI, replace "####" with "club".   No point keeping it a secret if
the goal is to help protect others.

BTW, although it is far easier to just drop the phishing email/attachment
with the delete key, we can parse the file, extract the clear-text and
share the http:// strings found therein.

Obviously, the macro in the original .xls file relied on Excel functions
to run a macro to fetch a bot from a website and launch the payload.


 ../|ug

--- OpenXP 5.0.43
* Origin: /|ug's Point, Ont. CANADA (2:221/1.58)