MSGID: 2:221/1.58@fidonet e2f1afe1
REPLY: 54.fido-internet@1:3634/12 22e8fad5
PID: OpenXP/5.0.43 (Win32)
CHRS: ASCII 1
TZUTC: -0400
Hello mark!

** 31.03.20 - 18:30, mark lewis wrote to August Abolins:

 AA>>>> (but I obscured a few things here with #### so no one inadvertently
 AA>>>> clicks on a link):

 ml>>>just change http to hxxp or similar ;)

 AA>> Six or one half dozen of the other.  :)

 ml>not really because now others of us cannot look up that information and
 ml>set blocks or filters in our IDS/IPS ;)

Oh..  I see.  Good point.  But couldn't http://march262020.* work in a  
filter?

But, FYI, replace "####" with "club".   No point keeping it a secret if  
the goal is to help protect others.

BTW, although it is far easier to just drop the phishing email/attachment  
with the delete key, we can parse the file, extract the clear-text and  
share the http:// strings found therein.

Obviously, the macro in the original .xls file relied on Excel functions  
to run a macro to fetch a bot from a website and launch the payload.


  ../|ug

--- OpenXP 5.0.43
 * Origin: /|ug's Point, Ont. CANADA (2:221/1.58)
SEEN-BY: 1/123 90/1 103/705 154/10 203/0 221/1 6 360 226/30 227/114
SEEN-BY: 229/101 426 452 1014 240/5832 249/206 317 400 280/464 5003
SEEN-BY: 288/100 292/854 310/31 317/3 322/757 342/200 396/45 423/81
SEEN-BY: 423/120 712/848 770/1 2452/250
PATH: 221/1 280/464 229/426