Banking Trojan Emotet: Optimising Protection with NoSpamProxy
A new wave of spam emails and viruses is currently affecting IT systems around the world. Since early November 2018, fake invoices, bank account warnings and other forged documents containing malicious code in the form of banking trojan Emotet are being distributed.
Malware Hides in Word and PDF Files
The documents are sent as part of faithfully reproduced phishing emails. After opening the attached Word or PDF file, recipients are prompted to activate Word macros or click links in PDF files. This installs and activates Emotet on the recipient’s computer.
We strongly advise against opening unchecked attachments in emails even if the email looks authentic at first glance. In this context, we would like to draw your attention to some of the features in NoSpamProxy and give you some tips on how you can further improve your protection against the current spam and virus attacks.
Content Disarm and Reconstruction (CDR)
CDR is included in NoSpamProxy Protection. CDR converts Microsoft Word and Excel files into non-hazardous PDF files and removes all active content, such as macros. The PDF file can then be opened without concerns, with the original file either left attached to the email or removed.
In conjunction with NoSpamProxy Large Files, it is also possible to securely place and lock the original file on the Web Portal. Please note that we currently recommend this for trusted partners also.
CDR is activated in the NoSpamProxy content filters. A training video on the content filters can be found at https://www.nospamproxy.de/de/support/trainingsvideos/
File-based virus scanner
To improve virus detection, you can add the File-based virus scanner action in each rule, provided that an additional local virus scanner is available on the servers running the gateway role.
Please read the following article in our Knowledge Base: https://www.nospamproxy.de/de/knowledge-base/konfiguration-installierter-on-access-virenscanner/
Level of Trust
It is also possible to change the global behaviour of the Level of Trust filter in NoSpamProxy. This allows you to adapt the detection behaviour of known and trusted communication partners to the respective situation. By default, the filter works based on the Envelope-FROM and/or the Header-FROM. This can lead to unwanted acceptance of emails in which the Envelope-FROM and the Header-FROM are not identical.
To change the way the filter works, go to Configuration > Advanced Settings > Level of Trust configuration in the NoSpamProxy console. On the General tab, change the option for Sender address evaluation from Envelope and Header-From addresses (recommended) to Envelope address only.
Please note that this can lead to an increased number of rejected emails. It is also possible that desired emails such as newsletters or emails with different values in the headers are rejected. Since an adjustment of the filter improves the defence against currently unwanted emails, this setting should nevertheless be considered.
These recommendations optimise the defence behaviour of NoSpamProxy against the currently increasing number of spam and virus emails.