Phishing/Malicious messages going through containing html attachments

Created by Yves Lacombe, Modified on Tue, 2 May, 2023 at 4:38 PM by Yves Lacombe

Problem:


Seeing many phishing messages that have .htm or .html attachments that keep going through proofpoint.



Reason:


Many of these emails have malformed attachments which make the detection more difficult.



Fixes/Workaround:


You should consider upgrading your plan to advanced if you're on business or beginner.  Advanced includes an advanced filtering feature called sandboxing which will increase drastically the catch rate on those emails.  Basically, the attachments are unpacked and opened inside a virtual environment and if the attachment exhibits any kind of "bad" behavior, it's classified as malware and blocked.


Barring this, you can consider doing the following to alleviate the situation.



1. Block unscannable files


Proofpoint has a mechanism where you can defacto block any files that have improper mime parsing or are otherwise impossible to ascertain the attachment type.








2. Block html attachments by name


Simply create an inbound filter rule that blocks anything with attachment name of *.htm* which should block all variations thereof, exemple: .htm, .html and anything where trailing or leading spaces are placed.





Important news item - we've started seeing waves of messages also containing *.shtm and *.shtml files so you should add to the rule above *.shtm* as a criteria ex:

*.htm*,*.shtm*




3. Consider GEOIP filtering


If your business only deals with North America for instance, you could simply block anything not coming from USA, Canada and Mexico.  Here's an example:





Adopting these three measures should reduce the number of these types of phishing from going through.