Re: new(ish) malware: RTF with MIME payload

["Chip M." <sa...@IowaHoneypot.com>]

Thanks guys, for all the helpful info and sanity checks! :)

Sorry about the Message-ID munging - I get some really useful
malware at that domain but no ham, and am a bit paranoid about
losing that feed.


Followup:
>I had considered anchoring the MIME string, however we have a 
>very powerful quarantine system, so I kept that rule simple. 
>We've had zero FPs on either rule, albeit only in xml/doc/msword 
>files.

I changed my system to run that MIME string test on all message
parts (plain text, de-MIMEd file, de-MIMEd non-file MIME), then
we did a regression test on all 2015 & 2016 ham for most of our
key corpora.  We also tested 2013 & 2014 ham-only for a few of
the most useful corpora, for a grand total of about 1.4 million
individual emails.

We found exactly zero hits on ham. :)
Not counting "my" SA list digest.

That rule is now live on all our systems, at Exterminate score.

We'll be doing a few more corpora in the next two weeks, and if
there's any hits, I'll report back.

While it is hypothetically possible that somebody would send a
document with ActiveMime, I personally am trusting my quarantine
sytem to detect those.  We can individually "skip" list that rule
if needed, just like we already do with Word macros and other
Pakled-icity. ;)
	- "Chip"