Recent Events: In the last few months our users are getting about a couple of malicious emails per week from various addresses and Avast is not cleaning up the malwares in the attachments as we have been expecting, which means we are relying on "not having human error" to stay safe (not good). In all of these cases, the emails have a single small zip file attached to them, in almost all of the cases the zip files contained a script (.js file) for windows script engine to execute. Note that email clients usually block JS attachments but since these are in zip files they pass through. The subjects and bodies are simple, like "Scanned Image", "Invoice Attached", etc. Some of the sender email addresses have been spoofed as well, for example the Scanned Image series of emails that went around were trying to spoof Admin accounts, cleaver since some on-site network scanners in some companies may have similar behaviours.
I have looked at the content of the .js files and majority of them have obfuscated methods to basically call up some URL and get a malicious payload (ransomware? malware? spyware? We are not interested to try to find out
). A minority of them had code that seem to try to exploit Windows security flaws.
So here is my feature request: What if Avast on mailservers can just open the zip files and if there is a .js files it would tag them as potentially malicious and delete them? .js scripts should really be shared by other means like code depots or internal file share servers assuming they are safe. What if the engine can analyze .js files or run them in a container and if they are a downloader it marks them as potentially malicious?
my 2 cents
