Email.Phishing.Blackhole in Microsoft Office Data Records

inc2022 wrote:

Ok, this time with the scan I got only one file with Email.Phishing.Blackhole and I followed you instructions and this is what I got ...

Date: Fri, 23 Aug 2013 12:59:52 -0700

From: "US Airways - Reservations" <reservations@myusairways.com>

To: <myemailID>

Subject: US Airways check-in reminder

So this looks to me to be an actual notification from US Air back in August. That should be enough for you to locate the message in Outlook. Without being able to see the body of the message, I can't tell whether or not it contains links to a fake US Air site, but if you find it you should be able to hover your cursor over any links to see where it will actually take you.

You may remember that the only elements of a signature the ClamAV® scan engine is looking for are a reference to the Star Alliance logo and the from line above, so if you see that logo in the message, that would explain why it's giving you that identification.

I ran the header through SpamCop and the results would seem to confirm that it actually came from US Air.

If you don't need that message any more, I recommend deletion from within Outlook (don't drag the file to the trash). If you want to keep it, you can either ignore future findings or after completing the scan, do a right-click / control-click on an entry and select "Exclude From Future Scans", but since we keep finding a different identifier for it (moving train) that's probably not going to work for long.

Normally I would ask you to submit it to the folks at ClamAV® as a false positive (assuming you do find it to be legitimate), but at this point it's probably not worth the effort. If you feel inclined to do so go to ClamAV® Submit a file page and use the "Send a false positive report" form to upload it.