Random post this, but in the past 48 hours we have started to receive what have the characteristics of SEP alerts, but they're unlike any i have seen before.
They basically look like automated emails but using end user email address and being sent to our admin mailbox. Example below.
Attachment: INV 00000404.doc
Security risk detected: Trojan.Mdropper
Action taken: Cleaned by Deletion
File status: Cleaned by Deletion
Attachment: INV 00000404.doc
Security risk detected: Trojan.Mdropper
Action taken: Cleaned by Deletion
File status: Cleaned by Deletion
Hello Commercial Non-Infra Alliance
Your invoice-00000404 for 1,764.03 is attached. Please remit payment at your earliest convenience.
Thanks for your business!
I've had a look in the Monitors tab for notification conditions and there's nothing that matches which would generate the above alert. It reminds me of the New Risk Detected alert but with less detail, for instance it doesn't have the PC name or any details like that. I have managed to find the machine it came from by looking up the email address it was sent from and searching via logon name in the SEPM, and the above details match what the Risk Log shows.
Any one able to shed some light on why we are getting these alerts now when we have never received them previoulsy?
To note we are using SEP 12.1.6 MP5, haven't updated any clients or the SEPM in the past month, the alers only started appearing in this format in the past 48 hours.
Thanks,
John