Below is the email I just got from my CFO after she tried to open the attachment -- which I have macros blocked via group policy on.
Anyway, having office macros blocked in group policy saved us as neither our trendmicro av nor gmail had a problem. Also note that the wording of the email was good enough to get a higher up end user to open the file. Just wanted to warn you guys out there.
The virustotal scan of the file is here: https://www.virustotal.com/en/file/...cfacd612c05618b576988a67acc7be9a145/analysis/
From: [email protected] <gcromwell@actualthirdparty.com>
Date: Wed, Feb 1, 2017 at 9:23 AM
Subject: FW: Re: invoice #31024244
To: [email protected]
my company just got this from ourcompany.org.
can you confirm this invoice was really issued by you?
Invoice #31024244 (This file had a link of
http://www.timeconsulting.co.th/api/get.php?id=base64string)
Thanks
George Cromwell
Senior Accountant
Tel: 443-261-6163
Fax: 443-261-5725
Anyway, having office macros blocked in group policy saved us as neither our trendmicro av nor gmail had a problem. Also note that the wording of the email was good enough to get a higher up end user to open the file. Just wanted to warn you guys out there.
The virustotal scan of the file is here: https://www.virustotal.com/en/file/...cfacd612c05618b576988a67acc7be9a145/analysis/