An emerging email borne threat to endpoint protection

Today we were made away by our friends at the Helpdesk of an email threat that should be blocked as a priority. Some customers were receiving email's with links to

Telling them that they must follow this link to read their email. DO NOT Do this, we have already had a customer suffer an attempted virus infection through one of these links. If your using GEN Email Gateways then we've already blocked all email's with a link like this, and if your using TrendMicro or GEN BSS then we've already added this URL to the global block list. Quoted from the GEN HelpDesk Article...

For some of our enterprise customers we monitor all adverse endpoint activity, and whilst investigating malicious software detection on a windows 10 machine we found a file had been downloaded from a third party website and this had in turn attempted to infect the endpoint. Further investigations and an interview with the EU identified that they had received an email with a link from a known sender and despite the training the EU was not suspicious and followed the link, used a password that was also sent by email and downloaded a file, thus circumventing email protection and presenting a clear threat to the PC and wider infrastructure.

We immediately added this URL to the Global TrendMicro Blacklist, and blocked it on our mail routers and customer's site gateways as well as adding a spam filter rule to strip the URL from any email's that come through.

We STRONGLY suggest you do the same, protecting your infrastructure from this deliberate attempt to circumvent email scanning and protection should be considered a priority. In the case above TrendMicro caught the infection attempt and blocked it, but no matter how good it is, it's not infallible.

This threat is encouraging the end user to visit a link to get their email with some made up reason. The end user can be convinced to follow the link and therefore circumvent all email screening and protection. Blocking this attack vector seems to be as simple as blacklisting the url in your spam filter and/or blocking it at the internet firewall/gateway. Again, if you are a GEN Managed customer then we've already taken care of it for you.