SOLVED

Threat Explorer: ATT0000x.htm Attachments / VBS/Jenxcus!lnk Malware / what is happening here?

%3CLINGO-SUB%20id%3D%22lingo-sub-64998%22%20slang%3D%22en-US%22%3EThreat%20Explorer%3A%20ATT0000x.htm%20Attachments%20%2F%20VBS%2FJenxcus!lnk%20Malware%20%2F%20what%20is%20happening%20here%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-64998%22%20slang%3D%22en-US%22%3E%3CP%3ESo%20I'm%20taking%20a%20closer%20look%20at%20the%20new%20security%20center%20and%20noticed%20the%20following%20issue%20repeating.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CUL%3E%3CLI%3EUser%20receives%20email%20with%20attachments%20(in%20this%20case%202%20PDFs)%20-%20all%20is%20good%20-%20%26nbsp%3Bthe%20attachments%20are%20clean%3C%2FLI%3E%3CLI%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20614px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F13746i4A40832A324AD994%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Image%207.png%22%20title%3D%22Image%207.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3EUser%20then%20forward%20the%20message%20from%20his%2Fher%20Smartphone%20with%20iOS%20Apple%20Mail%20to%20other%20internal%20recipients.%3CUL%3E%3CLI%3Ewe%20all%20know%20that%20Exchange%20sometimes%20creates%20those%20additional%20pesky%20ATT000X.htm%20attachments%20(for%20whatever%20reason)%20when%20not%20using%20Outlook.%3C%2FLI%3E%3C%2FUL%3E%3C%2FLI%3E%3CLI%3EIt's%20those%20.htm%20attachments%20that%20the%20Office%20365%20Threat%20Explorer%20marks%20as%20Malware%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20839px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F13747iD931652C8BACE532%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Image%206.png%22%20title%3D%22Image%206.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%2C%20what%20I'm%20to%20do%20with%20this%20information%3F%20I'm%20pretty%20(or%20hope%3F)%20sure%20that%20Exchange%20does%20not%20create%20attachments%20and%20fills%20them%20with%20malware%20just%20to%20scan%20them%20again%20with%20ATP%20and%20remove%20them.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-64998%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-69859%22%20slang%3D%22en-US%22%3ERe%3A%20Threat%20Explorer%3A%20ATT0000x.htm%20Attachments%20%2F%20VBS%2FJenxcus!lnk%20Malware%20%2F%20what%20is%20happening%20here%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-69859%22%20slang%3D%22en-US%22%3E%3CP%3EDear%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F54068%22%20target%3D%22_blank%22%3E%40Phil%20Newman%20(OFFICE%20365)%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ethanks%20for%20the%20information.%20The%20issue%20was%20%22fixed%22%20for%20a%20few%20days%2C%20though%20it%20popped%20up%20again%2C%20this%20time%20under%20the%20threat%20family%20%22%3CSPAN%3EALisp%2FBursted.BL%22.%20Again%20only%20ATT****.htm%20files%2C%20not%20the%20actual%20attachments%20itself.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-67277%22%20slang%3D%22en-US%22%3ERe%3A%20Threat%20Explorer%3A%20ATT0000x.htm%20Attachments%20%2F%20VBS%2FJenxcus!lnk%20Malware%20%2F%20what%20is%20happening%20here%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-67277%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20for%20the%20info%20Phil!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-67255%22%20slang%3D%22en-US%22%3ERe%3A%20Threat%20Explorer%3A%20ATT0000x.htm%20Attachments%20%2F%20VBS%2FJenxcus!lnk%20Malware%20%2F%20what%20is%20happening%20here%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-67255%22%20slang%3D%22en-US%22%3EIvan%2C%20thanks%20for%20pointing%20this%20out%20to%20us.%20What%20happened%20was%20that%20one%20of%20our%20anti-malware%20engines%20had%20a%20false%20positive%20verdict%20on%20a%20few%20instances%20of%20this%20file.%20Not%20knowing%20it%20was%20a%20false%20positive%2C%20an%20automated%20process%20added%20the%20file%20hash%20for%20that%20attachment%20to%20our%20%22possible%20malware%22%20list%20and%20that's%20why%20the%20messages%20are%20showing%20up%20as%20both%20%22Delivered%20%22%20and%20%22malware%22.%20We%20started%20fixing%20up%20most%20of%20the%20environment%20in%20North%20America%20last%20week%20but%20we're%20still%20working%20on%20marking%20this%20file%20as%20clean%20so%20that%20it%20appears%20%22good%22%20for%20all%20future%20instances.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-65346%22%20slang%3D%22en-US%22%3ERe%3A%20Threat%20Explorer%3A%20ATT0000x.htm%20Attachments%20%2F%20VBS%2FJenxcus!lnk%20Malware%20%2F%20what%20is%20happening%20here%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-65346%22%20slang%3D%22en-US%22%3E%3CP%3ESo%20you%20would%20agree%20it%20is%20a%20false%20positive%20%3Ap%3C%2Fimg%3E%20%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-65203%22%20slang%3D%22en-US%22%3ERe%3A%20Threat%20Explorer%3A%20ATT0000x.htm%20Attachments%20%2F%20VBS%2FJenxcus!lnk%20Malware%20%2F%20what%20is%20happening%20here%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-65203%22%20slang%3D%22en-US%22%3E%3CP%3EWell%2C%20the%20question%20is%20do%20you%20trust%20Apple%2Fthe%20Mail%20app%3F%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOpen%20a%20case%20to%20report%20this%20I%20guess%2C%20or%20use%20one%20of%20the%20methods%20mentioned%20in%20this%20FAQ%20to%20submit%20it%20as%20false%20positive%3A%20%3CA%20href%3D%22https%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fmt789012(v%3Dexchg.150).aspx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fmt789012(v%3Dexchg.150).aspx%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Valued Contributor

So I'm taking a closer look at the new security center and noticed the following issue repeating.

 

  • User receives email with attachments (in this case 2 PDFs) - all is good -  the attachments are clean
  • Image 7.png
  • User then forward the message from his/her Smartphone with iOS Apple Mail to other internal recipients.
    • we all know that Exchange sometimes creates those additional pesky ATT000X.htm attachments (for whatever reason) when not using Outlook.
  • It's those .htm attachments that the Office 365 Threat Explorer marks as Malware

 

Image 6.png

 

 

So, what I'm to do with this information? I'm pretty (or hope?) sure that Exchange does not create attachments and fills them with malware just to scan them again with ATP and remove them. 

5 Replies

Well, the question is do you trust Apple/the Mail app? :)

 

Open a case to report this I guess, or use one of the methods mentioned in this FAQ to submit it as false positive: https://technet.microsoft.com/en-us/library/mt789012(v=exchg.150).aspx

So you would agree it is a false positive :p ?

best response confirmed by Vasil Michev (MVP)
Solution
Ivan, thanks for pointing this out to us. What happened was that one of our anti-malware engines had a false positive verdict on a few instances of this file. Not knowing it was a false positive, an automated process added the file hash for that attachment to our "possible malware" list and that's why the messages are showing up as both "Delivered " and "malware". We started fixing up most of the environment in North America last week but we're still working on marking this file as clean so that it appears "good" for all future instances.

Dear @Phil Newman (OFFICE 365)

 

thanks for the information. The issue was "fixed" for a few days, though it popped up again, this time under the threat family "ALisp/Bursted.BL". Again only ATT****.htm files, not the actual attachments itself.