From: Dave Porter [mailto:firstname.lastname@example.org]The email originates from bosmailout13.eigbox.net [18.104.22.168] which belongs the Endurance International Group in the US. The malicious .DOC file is hosted at [donotclick]www.vantageone.co.uk/invoice17731.doc which appears to be a hacked legitimate web site.
Sent: 06 November 2013 12:06
Subject: Invoice 17731 from Victoria Commercial Ltd
Dear Customer :
Your invoice is attached to the link below:
Please remit payment at your earliest convenience.
Thank you for your business - we appreciate it very much.
Victoria Commercial Ltd
Detection rates have continued to improve throughout the day and currently stand at 10/47. The vulnerability in use is CVE-2012-0158 / MS12-027. If your Word installation is up-to-date and fully patched then it should block this attack.
A sandbox analysis confirms that it is malicious, in particular it connects to 22.214.171.124 (Mir Telematiki Ltd, Russia) and the following domains:
It is the same attack as described by Blaze's Security Blog and I would advise you to look at that posting for more details. In the meantime, here is a recommended blocklist: