Malicious Attachments

What Is The Concern?

An increase of phishing emails with malicious attachments, primarily Microsoft Office based attachments, have been detected by OU IT.  The emails can appear to be sent by a spoofed OU email address and sent to OU distribution lists. The spoofed email addresses have included admin@ou.edu, and device related addresses such as IT-CANON-Scanner@ou.edu, but may not be limited to these addresses.

Malicious attachments in phishing emails, if clicked, have the potential to encrypt all files and folders on the computer, including file shares, mapped cloud directories and USB or other cable attached devices. Once the files are encrypted, they may become unusable. OUIT has restricted macro enabled attachments, such as .docm and .xlsm files, to prevent malicious files from being opened. Please see the below list of blocked attachment file types. More information about Outlook blocked file types can also be found on this Microsoft support page.

If an email is flagged as being malicious, then the file might be removed from the email. This will vary based on the policy the detection system implements for the email. So the email may still be delivered to the intended user(s) with a note explaining why the attached file was removed. If you receive this message or feel that emails are not being delivered/received, please contact OU IT by calling 325-HELP or submitting a ticket via the ITSupport page.

If the attachment is outright blocked by the mail security system, then OU IT suggests the sender utilize a trusted file hosting site with sharing capabilities like OneDrive or Dropbox. The sender can then provide the mail recipient a link to download the file in question. As with all email, please use caution and be sure to follow good security awareness when asked to download any files.

If an attachment exceeds 35MB, files and folders may be shared using OneDrive. Click here or more information about OU email attachment policies. For more information about OneDrive, check out the following articles:

OneDrive Quick Start Guide (store, sync, share)
OneDrive: Sharing Folders & Permissions

What Action Do I Need To Take?

If you accidentally click on the attachment please change your OUNet password to a new password as soon as possible. Next run your system malware/virus scanner to detect the possible infection.

If your machine reports an infection, let your scanner attempt a clean up. If your scanner is unable to remove the infection or if your machine has already been encrypted by the malware, please call 325-HELP (4357).

Ensure that you have properly backed up all of your data, and backup devices are no longer connected to your system.

As a reminder, we ask that all OU students, faculty, and staff use these security tips to stay safe when using email:

Delete messages from untrusted senders.
Do not respond to or forward emails from untrusted senders.
Do not click on attachments or links from untrusted senders.
Change your password immediately if you have accidentally responded to one of these messages with your personal information.
You can change your OUNet ID password by visiting accounts.ou.edu.
Review your spam filtering options at accounts.ou.edu.

 

Blocked attachment file types

*.386 *.hlp *.msp *.reg
*.3gr *.hpj *.mst *.scf
*.add *.hta *.msu *.scr
*.ade *.inf *.ocx *.sct
*.appcontent-ms *.ins *.pcd *.settingcontent-ms
*.asp *.isp *.pif *.shs
*.bas *.jar *.pl *.shb
*.bat *.jnlp *.potm *.sldm
*.cer *.js *.ppsm *.theme
*.chm *.jse *.pptm *.url
*.class *.lha *.printerexport *.vb
*.cmd *.lnk *.ps1 *.vbe
*.cnt *.lqy *.ps1xml *.vbp
*.com *.lzh *.ps2 *.website
*.cpl *.mcf *.ps2xml *.ws
*.crt *.mdb *.psc1 *.wsh
*.dbx *.mde *.psc2 *.xbap
*.diagcab *.msc *.psd1 *.xla
*.der *.msh *.psdm1 *.xll
*.dll *.msh1 *.py *.xlm
*.docm *.msh2 *.pyc *.xlsm
*.dotm *.mshxml *.pyo *.xltm
*.exe *.msh1xml *.pyw *.xnk
*.fon *.msh2xml *.pyz  
*.grp *.msi *.pyzw  

 

Service Alerts

Check Alerts Subscribe

Can't find what you're looking for?

Contact Us

Print Article

Details

Article ID: 273
Created
Sun 9/6/20 3:36 PM
Modified
Fri 7/21/23 2:39 PM