Messages with a subject "Please review your document Invoice 6178284 for XXXXXXXX"


Symantec has observed a large number of messages coming from beginning around 12th June at 14:55 UTC. The attack is ongoing but current rules are blocking known variants.

Attack characteristics • Messages come from • Messages started at around 12th June 15:55 UTC • Subject is “Please review your document Invoice [7 Digit #] for [RECIPIENT DOMAIN]” • Links in the messages are malformed and unusable • Unbroken links go to a doc file infected with W97M.Downloader. Final payload of Trojan.Snifula

Actions taken: • Created URL hash filter • Created URL regex filter • Created header regex filters • Added Single signature rules • Created predictive heuristics • Added AV detections

Recommendations: Any missed messages outside the stated time range should be submitted following the preferred process.

Began at:

Affected components