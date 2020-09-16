A local business was reportedly "hacked" two weeks ago. The details are sketchy because after talking to them they don't really understand how their email works, they don't really know what happened, what was involved or what was lost. Their IT guy has said there is nothing they can do about it, so they aren't doing anything.

I first heard about it last week when another local business came to me saying they had people calling them to say they had received email which their anti-virus had blocked.

I took a look at some examples and it was the usual case of the name was changed to their business name (although with a typo most people wont notice) and the reply address was something like <abc@huoyfhsue.df>. Even where they have changed the email address to be blah@domain.com the headers still show random domains.

The phone calls eventually stopped but there have been five today so obviously it's started again.

They have valid SPF and DKIM records and their website and email are all looking ok. One employee admitted to opening the attachment because they thought it had come from someone they knew, but all their desktops, laptops and mobiles are also clean.

The attachment appears to be an empty .docx file. It's only 172KB, so I put it on an old laptop and it scanned ok with ESET and malwarebytes and opens a blank Word doc.

So I'm assuming this is just a case of spammers spoofing their details (however badly) and there is little to nothing we can do about it ?