On Tuesday, June 4, a huge attack of emails containing an excel document containing a last-generation Trojan was launched.

The size of the attack: 35,000 emails in less than 24 hours!

Only on systems managed by BLS, which normally see a flow of 280,000 emails a week, 35,000 infected emails arrived in less than 24 hours.


A Malware that cannot be more recent!

Of the 6 Antiviruses used by BLS to filter emails (Clamav, ESET, K7, Bitdefender and Total Defense, Sophos), nobody was able to identify the new Trojan for 59 minutes after receiving the first email.
Not only that, even checking with VirusTotal, Google's service that checks the files fed to it with as many as 59 antiviruses, it did not initially detect anything.
After about an hour, the SecuriteInfo database used by Clamav recognized the virus.

In the time elapsed, around 5,000 emails had passed the first check.


Of these 5000, they reached the users ... 32 emails! How is it possible?

The remaining emails were blocked by additional, multiple Janusmail filter systems:

  • A second anti-spam engine based on a database of more than 200,000 signatures that recognizes spam, malware and phishing
  • Two Blacklists continuously updated with IP addresses of servers that send spam, malware and phishing
  • A system developed by us able to evaluate the Reputation of the server that sends the e-mails and block those deemed too risky


And those 32?

None of these e-mails have time to infect our users' machines.

About half of them had reached Zimbra systems managed by us: the functionality of the Zimbra Advanced module allowed these emails to be automatically moved to the user's Junk folder.


In addition, the system has automatically sent all recipients an alert in the antispam report to not open that email.


Finally, the BLS assistance reported the danger of the email to the users who had received it as soon as the attack was detected.


And now?

15 emails out of 35,000 that reach the end user is equivalent to a 99.999% greater effectiveness ... someone could say that we were very good.

But that's not enough for us! We aim for 100%, and for this we are going to implement two additional security systems:

  • File office risk recognition: a system that analyzes the office files attached to emails and assesses the risk, blocking delivery if it is too high.
  • Fuzzy hashing: A system that quickly compares potential viruses attached to other existing viruses and detects similarities.


And you meanwhile?

To improve your security, ask immediately to activate the Janusmail advanced protection modules on the mail server, and in the meantime train your users on how to recognize dangerous emails.

LS can help you with this, thanks to the Sophos Phish Threat service, a system that allows users to simulate phishing attempts to assess their ability to recognize them.