cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Threat Explorer: ATT0000x.htm Attachments / VBS/Jenxcus!lnk Malware / what is happening here?

Ivan Unger
Bronze Contributor

‎Apr 25 2017 11:24 PM - last edited on ‎Feb 19 2021 04:47 AM by

‎Apr 25 2017 11:24 PM - last edited on ‎Feb 19 2021 04:47 AM by

Threat Explorer: ATT0000x.htm Attachments / VBS/Jenxcus!lnk Malware / what is happening here?

So I'm taking a closer look at the new security center and noticed the following issue repeating.

 

  • User receives email with attachments (in this case 2 PDFs) - all is good -  the attachments are clean
  • Image 7.png
  • User then forward the message from his/her Smartphone with iOS Apple Mail to other internal recipients.
    • we all know that Exchange sometimes creates those additional pesky ATT000X.htm attachments (for whatever reason) when not using Outlook.
  • It's those .htm attachments that the Office 365 Threat Explorer marks as Malware

 

Image 6.png

 

 

So, what I'm to do with this information? I'm pretty (or hope?) sure that Exchange does not create attachments and fills them with malware just to scan them again with ATP and remove them. 

Labels:
7,101 Views
0 Likes
5 Replies
Reply
5 Replies
Vasil Michev

‎Apr 26 2017 11:11 AM

‎Apr 26 2017 11:11 AM

Re: Threat Explorer: ATT0000x.htm Attachments / VBS/Jenxcus!lnk Malware / what is happening here?

Well, the question is do you trust Apple/the Mail app? :)

 

Open a case to report this I guess, or use one of the methods mentioned in this FAQ to submit it as false positive: https://technet.microsoft.com/en-us/library/mt789012(v=exchg.150).aspx

0 Likes
Reply
Ivan Unger

‎Apr 26 2017 10:05 PM

‎Apr 26 2017 10:05 PM

Re: Threat Explorer: ATT0000x.htm Attachments / VBS/Jenxcus!lnk Malware / what is happening here?

So you would agree it is a false positive :p ?

0 Likes
Reply
best response confirmed by VI_Migration (Silver Contributor)
Phil Newman (OFFICE 365)

‎May 04 2017 10:04 AM

‎May 04 2017 10:04 AM

Solution

Re: Threat Explorer: ATT0000x.htm Attachments / VBS/Jenxcus!lnk Malware / what is happening here?

Ivan, thanks for pointing this out to us. What happened was that one of our anti-malware engines had a false positive verdict on a few instances of this file. Not knowing it was a false positive, an automated process added the file hash for that attachment to our "possible malware" list and that's why the messages are showing up as both "Delivered " and "malware". We started fixing up most of the environment in North America last week but we're still working on marking this file as clean so that it appears "good" for all future instances.
2 Likes
Reply
Ivan Unger

‎May 14 2017 11:02 PM

‎May 14 2017 11:02 PM

Re: Threat Explorer: ATT0000x.htm Attachments / VBS/Jenxcus!lnk Malware / what is happening here?

Dear @Phil Newman (OFFICE 365)

 

thanks for the information. The issue was "fixed" for a few days, though it popped up again, this time under the threat family "ALisp/Bursted.BL". Again only ATT****.htm files, not the actual attachments itself.

0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by VI_Migration (Silver Contributor)
Phil Newman (OFFICE 365)

‎May 04 2017 10:04 AM

‎May 04 2017 10:04 AM

Solution

Re: Threat Explorer: ATT0000x.htm Attachments / VBS/Jenxcus!lnk Malware / what is happening here?

Ivan, thanks for pointing this out to us. What happened was that one of our anti-malware engines had a false positive verdict on a few instances of this file. Not knowing it was a false positive, an automated process added the file hash for that attachment to our "possible malware" list and that's why the messages are showing up as both "Delivered " and "malware". We started fixing up most of the environment in North America last week but we're still working on marking this file as clean so that it appears "good" for all future instances.

View solution in original post

2 Likes
Reply