Messages with a subject "Please review your document Invoice 6178284 for XXXXXXXX"
Symantec has observed a large number of messages coming from william_scott@flexovitportal.com beginning around 12th June at 14:55 UTC. The attack is ongoing but current rules are blocking known variants.
Attack characteristics • Messages come from william_scott@flexovitportal.com • Messages started at around 12th June 15:55 UTC • Subject is “Please review your document Invoice [7 Digit #] for [RECIPIENT DOMAIN]” • Links in the messages are malformed and unusable • Unbroken links go to a doc file infected with W97M.Downloader. Final payload of Trojan.Snifula
Actions taken: • Created URL hash filter • Created URL regex filter • Created header regex filters • Added Single signature rules • Created predictive heuristics • Added AV detections
Recommendations: Any missed messages outside the stated time range should be submitted following the preferred process.
-
Email Security.cloud
- Americas
- Japan
- Europe, Middle East & Africa
- Asia Pacific
Find Your Subscription
We’ll find your subscription and send you a link to login to manage your preferences.
Check Your Inbox
We’ve found your existing subscription and have emailed you a secure link to manage your preferences.
Subscribe to Status Updates
We’ll use your email to save your preferences so you can update them later.
-
Email{{ value }}
-
Text Message{{ value }}
-
Slack
-
Microsoft Teams{{ value }}
-
Google Chat
Subscribe to other services using the bell icon on the subscribe button on the status page.
Unsubscribe Completely?
You’ll no long receive any status updates from Broadcom Service Status, are you sure?
{{ error }}
You’re Unsubscribed!
We’ll no longer send you any status updates about Broadcom Service Status.