Forum Discussion
Threat Explorer: ATT0000x.htm Attachments / VBS/Jenxcus!lnk Malware / what is happening here?
So I'm taking a closer look at the new security center and noticed the following issue repeating.
- User receives email with attachments (in this case 2 PDFs) - all is good - the attachments are clean
- User then forward the message from his/her Smartphone with iOS Apple Mail to other internal recipients.
- we all know that Exchange sometimes creates those additional pesky ATT000X.htm attachments (for whatever reason) when not using Outlook.
- It's those .htm attachments that the Office 365 Threat Explorer marks as Malware
So, what I'm to do with this information? I'm pretty (or hope?) sure that Exchange does not create attachments and fills them with malware just to scan them again with ATP and remove them.
- Ivan, thanks for pointing this out to us. What happened was that one of our anti-malware engines had a false positive verdict on a few instances of this file. Not knowing it was a false positive, an automated process added the file hash for that attachment to our "possible malware" list and that's why the messages are showing up as both "Delivered " and "malware". We started fixing up most of the environment in North America last week but we're still working on marking this file as clean so that it appears "good" for all future instances.
5 Replies
- Phil Newman (OFFICE 365)Former EmployeeIvan, thanks for pointing this out to us. What happened was that one of our anti-malware engines had a false positive verdict on a few instances of this file. Not knowing it was a false positive, an automated process added the file hash for that attachment to our "possible malware" list and that's why the messages are showing up as both "Delivered " and "malware". We started fixing up most of the environment in North America last week but we're still working on marking this file as clean so that it appears "good" for all future instances.
- Ivan54Bronze Contributor
thanks for the information. The issue was "fixed" for a few days, though it popped up again, this time under the threat family "ALisp/Bursted.BL". Again only ATT****.htm files, not the actual attachments itself.
Thanks for the info Phil!
Well, the question is do you trust Apple/the Mail app? :)
Open a case to report this I guess, or use one of the methods mentioned in this FAQ to submit it as false positive: https://technet.microsoft.com/en-us/library/mt789012(v=exchg.150).aspx
- Ivan54Bronze Contributor
So you would agree it is a false positive :P ?