https://community.checkpoint.com/t5/Firewall-and-Security-Management/Quick-and-Dirty-Alert/m-p/40992#M13546 <HTML><HEAD></HEAD><BODY><P>Sample this morning came with two word documents. AV Blade caught the emails.&nbsp;Does Emotet usually send two attachments?</P></BODY></HTML> Thu, 08 Nov 2018 14:02:49 GMT Ryan_St__Germai 2018-11-08T14:02:49Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Quick-and-Dirty-Alert/m-p/40989#M13543 <HTML><HEAD></HEAD><BODY><P>We are witnessing a surge in weaponized Microsoft documents containing a macro.</P><P>This campaign has very low detection by signature based solutions. It uses advanced social engineering techniques designed to make the user open the document and enable the macro. As you can see in the screen shots these are similar but more graphically adapt to the notorious <A href="https://blog.checkpoint.com/2016/03/02/locky-ransomware/">locky campaign</A>&nbsp;of 2016.</P><P></P><P></P><P><IMG __jive_id="73307" class="image-1 jive-image" height="436" src="https://community.checkpoint.com/legacyfs/online/checkpoint/73307_pastedImage_2.png" width="672" /><IMG __jive_id="73310" class="jive-image image-4" height="439" src="https://community.checkpoint.com/legacyfs/online/checkpoint/73310_pastedImage_5.png" width="653" /></P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Screen shot of documents cleaned by Threat Extraction.</P><P></P><P>The last couple of days show a ten fold increase in the malicious files.</P><P><IMG __jive_id="73309" class="image-3 jive-image" src="https://community.checkpoint.com/legacyfs/online/checkpoint/73309_pastedImage_4.png" /></P><P>The surge as seen in numbers in the last week.&nbsp;</P><P></P><P>SandBlast Threat Extraction cleans the macro from the document at zero time.</P><P>SandBlast prevents the download of the original file by three zero day engines: Macro Analyzer, CPU level detection on crash and the emulator by its malicious process activity.</P><P></P><P>I'll update when there is more data.</P><P></P><P>Thanks,</P><P>Gadi</P></BODY></HTML> Wed, 07 Nov 2018 11:32:32 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Quick-and-Dirty-Alert/m-p/40989#M13543 Gad_Naveh 2018-11-07T11:32:32Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Quick-and-Dirty-Alert/m-p/40990#M13544 <HTML><HEAD></HEAD><BODY><P>Gad,</P><P>Can you tell if the TX is necessary for this protection to work or if TE will be able to catch it?</P></BODY></HTML> Wed, 07 Nov 2018 13:44:02 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Quick-and-Dirty-Alert/m-p/40990#M13544 Vladimir 2018-11-07T13:44:02Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Quick-and-Dirty-Alert/m-p/40991#M13545 <HTML><HEAD></HEAD><BODY><P>Hi Vladimir,</P><P>Yes, TE is able to catch it and prevent it.</P><P>I'll upload a report</P></BODY></HTML> Wed, 07 Nov 2018 14:11:34 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Quick-and-Dirty-Alert/m-p/40991#M13545 Gad_Naveh 2018-11-07T14:11:34Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Quick-and-Dirty-Alert/m-p/40992#M13546 <HTML><HEAD></HEAD><BODY><P>Sample this morning came with two word documents. AV Blade caught the emails.&nbsp;Does Emotet usually send two attachments?</P></BODY></HTML> Thu, 08 Nov 2018 14:02:49 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Quick-and-Dirty-Alert/m-p/40992#M13546 Ryan_St__Germai 2018-11-08T14:02:49Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Quick-and-Dirty-Alert/m-p/40993#M13547 <HTML><HEAD></HEAD><BODY><P>Not that I am aware of, please do share</P></BODY></HTML> Thu, 08 Nov 2018 14:32:16 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Quick-and-Dirty-Alert/m-p/40993#M13547 Gad_Naveh 2018-11-08T14:32:16Z