Re: Blocking this attack?
. . . I hadn't actually considered dropping anything with application/hta at the network level, you can tell I usually work with server/desktop! Added that just for good measure.
Ok, so far. If emailed in then :-
1) the anti spam system should recognise active content in the word document and drop it.
2) If it was (somehow) delivered to the endpoint then word is blocked from downloading anything via GPO.
3) If it (somehow) bypassed the Group Policy options for this then it'd get blocked by the firewall.
4) If it somehow was downloaded and attempted to get executed then it'd be blocked by the Software Restriction Policy as an unauthorised extension type.
5) If that fails, the HTA processor is blocked from running by SRP.
6) If that fails, then I'm reliant on the AV.
I don't think I'm going to get too much safer.
Biting the hand that feeds IT
