Mailing List Archive

Discord used to share malware
Not sure if this is news or not but it's the first time I've seen this.
I got a fake "here's the invoice" message with a link to a Excel Macro
file from

https://cdn.discordapp.com/attachments/{redacted}.xlsm

This thing slipped in with a score of 0.4, KAM_NUMSUBJECT being the only
trigger of significance. Reported the link to Discord.

--
For SpamAsassin Users List
Re: Discord used to share malware [ In reply to ]
I received one today as well. First time I have seen this type.

It was a pretty well drawn thread overall, they are stepping it up
________________________________________
From: Alan <spamassassin.twyie@ambitonline.com>
Sent: Monday, July 26, 2021 10:56:29 AM
To: users@spamassassin.apache.org
Subject: Discord used to share malware

Not sure if this is news or not but it's the first time I've seen this.
I got a fake "here's the invoice" message with a link to a Excel Macro
file from

https://cdn.discordapp.com/attachments/{redacted}.xlsm

This thing slipped in with a score of 0.4, KAM_NUMSUBJECT being the only
trigger of significance. Reported the link to Discord.

--
For SpamAsassin Users List
Re: Discord used to share malware [ In reply to ]
Thanks.  I've used cdn.discord in the fake delivery rules.  From this
thread, I've gone through my corpora for a few years and have 18
spamples from Oct 2019 to-date with the abuse.

So it's rare but I've added a DISCORD rule to KAM.cf but I also checked
my ham corpora and the rules are safe for legit discord messages.  It
hits on every one of my spamples.

Anyway, just pushed a pretty big KAM.cf update so please let me know how
it works on your mail.

Regards,

KAM

On 7/26/2021 2:17 PM, Gary Smith wrote:
> I received one today as well. First time I have seen this type.
>
> It was a pretty well drawn thread overall, they are stepping it up
> ________________________________________
> From: Alan <spamassassin.twyie@ambitonline.com>
> Sent: Monday, July 26, 2021 10:56:29 AM
> To: users@spamassassin.apache.org
> Subject: Discord used to share malware
>
> Not sure if this is news or not but it's the first time I've seen this.
> I got a fake "here's the invoice" message with a link to a Excel Macro
> file from
>
> https://cdn.discordapp.com/attachments/{redacted}.xlsm
>
> This thing slipped in with a score of 0.4, KAM_NUMSUBJECT being the only
> trigger of significance. Reported the link to Discord.
>
> --
> For SpamAsassin Users List
>
--
Kevin A. McGrail
KMcGrail@Apache.org

Member, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171