In both cases, we never found any sort of payload other than the possibility of the script being run, so this appears to be an effort to harvest email addresses. The script also seems to prevent Sent copies from being created. The rule doesnt appear in the local copy of Outlook. I ran into this a couple of times over the last six months, and this is what I found I'm sure it could be different for others, I thought I would share my experiences in case it helps anyone.Ī malicious email was opened, and a link is clicked which prompts the user to enter O365 credentials to retrieve a document.Īfter the credentials are provided, the document us unable to be downloaded/opened (not sure which, and I dont have access to my sandbox right now to check) At that point either a script is run or a person manually creates a rule on the O365 portal to deliver replies to the RSS Feeds folder (the more recent version of this was much more sloppy and had ALL incoming mail delivering to RSS).
I can't find further details about the PUM can anyone offer insights? The only thing I can think of that changed in the past 24 hours was an update to Google Chrome and an update to Steam.
Microsoft Windows Malicious Software Removal Tool Finished On Wed May 15 08:34:39 2019 Microsoft Windows Malicious Software Removal Tool Finished On Wed Apr 10 08:21:07 2019 So, the scans most certainly still take place. However, if I look in the MRT log (C:\Windows\debug\mrt.log), I can see that scans did in fact still take place both in April and May. Running a Malwarebytes scan today gave me the two new PUM messages above which confirms the O&O Shutup10 setting is definitely active. I am able to confirm this as I use O&O Shutup10 and turned on the option "Reporting of malware infection information disabled" last year. , HKLM\SOFTWARE\WOW6432NODE\POLICIES\MICROSOFT\MRT|DONTREPORTINFECTIONINFORMATION, No Action By User,, ,6 , HKLM\SOFTWARE\POLICIES\MICROSOFT\MRT|DONTREPORTINFECTIONINFORMATION, No Action By User,, ,6 Hence Malwarebytes reporting " DONTREPORTINFECTIONINFORMATION" which in itself infers that it is only the reporting that is disabled. Only the telemetry reporting of the scan results to Microsoft are disabled. In fact, I can confirm that the MRT scans do still run each month. I would like to add that the two Malwarebytes PUM warnings do NOT mean that MRT scans are disabled.
0 kommentar(er)
