0
A colleague of mine was at a Hilton in the US (we're in Canada), and now every time he sends an email to someone from Outlook 2010, there is some garbage appended to the end of his signature... The kicker is, if he sends an email to himself, it doesn't append anything to the signature.
We've checked proxy settings, and checked the signature files themselves to see if they were altered. No such luck. We're running some virus/malware scans now but has anyone seen this or have any idea how they would be altering outgoing mail like that?
It made more sense that his signatures would be altered while he was on the hotel wifi, but now that he's back, I cannot figure out why it is happening.
Edit: To clarify, it is appending a bunch of information about the hotel to the bottom of the signature. Address, contact information, how to connect to the WiFi, there's also several pictures it is linking to.
So he/you can't see the appended information while composing the email? It only appears once it's been sent? Is it spam type information, or literal 'garbage' ? – djsmiley2k TMW – 2017-05-29T14:30:19.120
It is a whole bunch of information on the hotel. The address of the hotel, contact information, how to connect to wifi, and there's a broken picture link as well. – pay – 2017-05-29T14:36:27.650
And that's appearing from a location completely unrelated to the hotel? Wow... that's... odd :/ – djsmiley2k TMW – 2017-05-29T14:44:26.903
Yes, extremely strange... He's now back in another country, on our internal internet connection (although we have him on a connection that does not have access to our primary network for now) and it is still doing it – pay – 2017-05-29T14:45:07.037
He could try "system restore" or uninstall and reinstall outlook. Did he check all the network settings? IP/DNS address, proxy server, etc? Maybe his computer is set to use the mail proxy server of the hotel. – SpiderPig – 2017-05-29T14:47:08.330
Yes we checked proxy settings in browsers, on the network interface, and in Outlook. They all appear to be normal. DNS settings are also normal – pay – 2017-05-29T14:48:20.987
2I've stayed in Hiltons all over the US and never had hotel wifi append to emails. (I'd, in fact, stay elsewhere if it did that). I suspect masquerading malware. – Tyson – 2017-05-29T14:50:42.707
I would contact the hotel, they should be aware of this and I think their reputation is more imperative for them then some unwanted link. – Máté Juhász – 2017-05-29T14:51:31.543
You could use Wireshark to monitor his network traffic while he sends a mail. – SpiderPig – 2017-05-29T14:53:42.440
Can you (or your network admin) have a look at the mailserver to see where the email is coming from - it should be coming directly from his laptop, but it sounds like it's routing via something else. If it's coming directly from the laptop, with this information appended then it's definitely malware on the laptop itself. If it's going via somewhere external, it still could be a outlook setting... – djsmiley2k TMW – 2017-05-29T14:56:42.540
We will be contacting the hotel's corporate office regarding this. We may wireshark the traffic as well, but for now I just noticed there is a strange URL in the email signature that includes something about Avast Antivirus and a 'tunnel ID'. Unfortunately we use Avast here... Which ironically might be the root of the issue. – pay – 2017-05-29T15:02:34.823
I guarantee it is. Disable the Avast outlook plugin to confirm. You should also contacted your system administrator so they can reimage the system – Ramhound – 2017-05-29T15:47:49.793
Ya, it was the Avast signature. Our IT admin is going to do a thorough checking of the system and likely re-image it tonight as well. – pay – 2017-05-29T16:01:56.887