Forwarded messages with "ATT000x.htm", same file hash - as Malware/Reputation

%3CLINGO-SUB%20id%3D%22lingo-sub-738142%22%20slang%3D%22en-US%22%3EForwarded%20messages%20with%20%22ATT000x.htm%22%2C%20same%20file%20hash%20-%20as%20Malware%2FReputation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-738142%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20past%20two%20weeks%20have%20shown%20a%20high%20number%20of%20email%20filtered%20as%20malware%2Freputation%20but%20still%20got%20delivered%20to%20users%20inbox.%20Checked%20further%20and%20realized%20it's%20as%20a%20result%20of%20a%20particular%20hash%20file%20common%20with%20FWD%3A%20messages%20(the%20%22ATT0000.htm%22).%20Guess%20this%20is%20false%20positive%20from%20Microsoft%20anti-malware%20engine%2C%20but%20how%20do%20we%20get%20rid%20of%20this%20or%20report%20this%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-749330%22%20slang%3D%22en-US%22%3ERe%3A%20Forwarded%20messages%20with%20%22ATT000x.htm%22%2C%20same%20file%20hash%20-%20as%20Malware%2FReputation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-749330%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F371123%22%20target%3D%22_blank%22%3E%40OlaOwolabi%3C%2FA%3E%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20the%20same%20issue%20with%20forwarded%20messages.%26nbsp%3B%3C%2FP%3E%3CP%3EAll%20ATT000x.htm%20files%20are%20marked%20with%20the%20threat%20status%20Reputation.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20is%20a%20false%20positive%2C%20but%20i%20don't%20know%20how%20we%20can%20fix%20this.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20a%20way%20to%20fix%20this%20issue%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-750001%22%20slang%3D%22en-US%22%3ERe%3A%20Forwarded%20messages%20with%20%22ATT000x.htm%22%2C%20same%20file%20hash%20-%20as%20Malware%2FReputation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-750001%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F374592%22%20target%3D%22_blank%22%3E%40Roel_Wijnands%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20the%20reply%2C%20thought%20it's%20only%20from%20our%20end.%3C%2FP%3E%3CP%3EI%20guess%20as%20much%2C%20it's%20false%20positive.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EStumbled%20on%20a%20previous%20thread%20with%20similar%20case%20that%20happened%20in%202017.%20See%20link%20below%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FSecurity-Privacy-Compliance%2FThreat-Explorer-ATT0000x-htm-Attachments-VBS-Jenxcus-lnk-Malware%2Ftd-p%2F64998%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FSecurity-Privacy-Compliance%2FThreat-Explorer-ATT0000x-htm-Attachments-VBS-Jenxcus-lnk-Malware%2Ftd-p%2F64998%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20believe%20the%20fix%20will%20be%20from%20Microsoft%2C%20hopefully%20they%20are%20aware.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1398387%22%20slang%3D%22en-US%22%3ERe%3A%20Forwarded%20messages%20with%20%22ATT000x.htm%22%2C%20same%20file%20hash%20-%20as%20Malware%2FReputation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1398387%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F371123%22%20target%3D%22_blank%22%3E%40OlaOwolabi%3C%2FA%3EWe%20are%20having%20the%20same%20issue%20in%20May%202020%20with%20attachments%20with%20the%20name%20%3CSPAN%3EATT00003.htm%3C%2FSPAN%3E%20getting%20blocked.%20The%20hash%20does%20not%20match%20any%20malware%20on%20virustotal.%20Did%20this%20get%20resolved%20for%20you%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1399128%22%20slang%3D%22en-US%22%3ERe%3A%20Forwarded%20messages%20with%20%22ATT000x.htm%22%2C%20same%20file%20hash%20-%20as%20Malware%2FReputation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1399128%22%20slang%3D%22en-US%22%3EFor%20any%20cases%20of%20false-positive%20detection%2C%20you%20may%20report%20it%20here%3A%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fwdsi%2Ffilesubmission%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fwdsi%2Ffilesubmission%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1400047%22%20slang%3D%22en-US%22%3ERe%3A%20Forwarded%20messages%20with%20%22ATT000x.htm%22%2C%20same%20file%20hash%20-%20as%20Malware%2FReputation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1400047%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F670911%22%20target%3D%22_blank%22%3E%40itsgautam%3C%2FA%3E%2C%3C%2FP%3E%3CP%3ESorry%20response%20took%20a%20bit%20of%20time.%20The%20file%20(and%20hash)%20back%20then%20was%20filtered%20by%20MS%20anti-malware%20engines%20and%20was%20reported%20few%20times%20via%20MS%20SCC%20as%20legitimate%20until%20it%20faded%20off.%20Stumbled%20on%20this%20latest%20one%20as%20well%2C%20observed%20for%20a%20while%20and%20hoping%20someone%20will%20report%20as%20false%20negative%20which%20may%20have%20happened%2C%20for%20I%20did%20not%20see%20notifications%20of%20such%20anymore.%3C%2FP%3E%3CP%3EHope%20this%20helps.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

The past two weeks have shown a high number of email filtered as malware/reputation but still got delivered to users inbox. Checked further and realized it's as a result of a particular hash file common with FWD: messages (the "ATT0000.htm"). Guess this is false positive from Microsoft anti-malware engine, but how do we get rid of this or report this?

5 Replies

Hi @OlaOwolabi,

 

We have the same issue with forwarded messages. 

All ATT000x.htm files are marked with the threat status Reputation.

 

This is a false positive, but i don't know how we can fix this.

 

Is there a way to fix this issue?

Hi @Roel_Wijnands 

 

Thanks for the reply, thought it's only from our end.

I guess as much, it's false positive.

 

Stumbled on a previous thread with similar case that happened in 2017. See link below;

 

https://techcommunity.microsoft.com/t5/Security-Privacy-Compliance/Threat-Explorer-ATT0000x-htm-Atta...

 

I believe the fix will be from Microsoft, hopefully they are aware.

@OlaOwolabiWe are having the same issue in May 2020 with attachments with the name ATT00003.htm getting blocked. The hash does not match any malware on virustotal. Did this get resolved for you?

For any cases of false-positive detection, you may report it here:
https://www.microsoft.com/en-us/wdsi/filesubmission

Hi @itsgautam,

Sorry response took a bit of time. The file (and hash) back then was filtered by MS anti-malware engines and was reported few times via MS SCC as legitimate until it faded off. Stumbled on this latest one as well, observed for a while and hoping someone will report as false negative which may have happened, for I did not see notifications of such anymore.

Hope this helps.