Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Emotet mass email exfiltration ?

  • 1 reply
  • 1 has this problem
  • 9 views
  • Last reply by Matt

more options

I am suddenly receiving a barrage of (old) emails from a group of friends who regularly send group-emails. Each mail contains a text that was already sent earlier in 2020. The Sender is identified by his customary name but the underlying email-address is completely unknown AND different with every new email received. Attached to every mail is a Word doc which I have not dared to open. My group has not yet received mails purported to have been sent by me but they have from many of the other groupmembers; the number of mails received varies significantly per groupmember. I have read about Emotet (see Heading and below). My question: Is Thunderbird known to be vulnerable to Emotet or similar exfiltration malware? Tks Carel

https://www.kryptoslogic.com/blog/2018/10/emotet-awakens-with-new-campaign-of-mass-email-exfiltration/

I am suddenly receiving a barrage of (old) emails from a group of friends who regularly send group-emails. Each mail contains a text that was already sent earlier in 2020. The Sender is identified by his customary name but the underlying email-address is completely unknown AND different with every new email received. Attached to every mail is a Word doc which I have not dared to open. My group has not yet received mails purported to have been sent by me but they have from many of the other groupmembers; the number of mails received varies significantly per groupmember. I have read about Emotet (see Heading and below). My question: Is Thunderbird known to be vulnerable to Emotet or similar exfiltration malware? Tks Carel https://www.kryptoslogic.com/blog/2018/10/emotet-awakens-with-new-campaign-of-mass-email-exfiltration/

All Replies (1)

more options

I had never heard of the malware or how it worked until I read you linked article. But the key information here is the use of extended mapi Thunderbird struggles to implement most of the MAPI interface. It does not support extended MAPI

The following quote from the article is also very very specific.

This configuration is the first thing checked by this module. In particular, the registry key HKLM\Software\Clients\Mail\Microsoft Outlook is accessed, and the value DllPathEx—the path to the mapi32.dll module—is expected to be defined. If it is not, the module does not proceed. Note that the registry key is pretty specific—there are other plausible keys, such as HKLM\Software\Clients\Mail\Windows Mail, that this module simply does not care about.

This appears the email part of this is a Microsoft Outlook only issue. Having said that, the malware is probably included in the word document and opening it would infect your computer. The vulnerability of your computer to opening a virus in an attachment will depend on the anti virus product you use and how well the definitions are updated. The attachment is entirely a bit of text whilst it remains in Thunderbird. (Mime encoded see https://en.wikipedia.org/wiki/MIME) Opening an attachment converts the document to it's original binary form and writes the resultant file to the system temp folder. If your anti virus is any good it will block the write to your temp folder of the file if you attempt to open it. If it is not good it will miss the event and you will get infected. Attachments are a fundamental weakness of email. Be it Gmail, Thunderbird, Outlook or any other email client. As the actual content of the file is only known to the application that can read the file format of the attachment it is accepted on faith as "a file" and transmitted in an inert form. (and stored by Thunderbird that way). What you do with the attachment is left up to your judgement.

Modified by Matt