Cyber Incident Victim: McAfee
Date:
Nov 2017
Location:
United States of America
Summary
A cybersecurity firm's email protection service inadvertently exposed users to banking malware through a malicious link routed via its domain. The link directed to a Word document delivering Emotet malware, designed to steal sensitive data like passwords. The service initially classified the third-party hosting site as low risk but later updated it to high risk and blocked access after external researcher alerts. Discrepancies emerged regarding the timeline of the block, with evidence suggesting the malicious link remained active longer than claimed. The incident highlighted risks even with protective services in place, as attackers exploited trusted domains to distribute malware through social engineering tactics.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around November 13, 2017, McAfee’s ClickProtect email security service inadvertently facilitated the distribution of Emotet banking malware through a malicious link associated with its cp.mcafee.com domain. The link, hosted on a third-party website but routed through McAfee’s domain, redirected users to a malicious Word document. Paris-based security researcher Benkow identified and publicly disclosed the threat via a tweeted malware analysis report. The document, when opened, executed a macro that downloaded additional payloads via PowerShell, including the Emotet binary. This malware subsequently connected to command-and-control servers to exfiltrate sensitive data such as browser credentials and email passwords, primarily targeting users in the US, UK, and Canada. McAfee’s ClickProtect service, designed to block phishing links and high-risk sites, had initially classified the third-party site as "low risk," allowing the link to propagate until the company’s Global Threat Intelligence team reevaluated and blocked it later on November 13.
McAfee stated the service operated as intended, noting the site’s threat status was updated to "high risk" and access blocked after detection. The company confirmed an investigation but denied "deliberate abuse" of its systems as the cause. Timeline discrepancies arose when external observations indicated the malicious link remained active shortly before McAfee’s claimed blocking time. Emotet’s resurgence at the time involved sophisticated malspam campaigns impersonating telecom providers, exploiting social engineering to bypass email protections. The incident highlighted risks posed by seemingly trusted domains and misleading security assurances in email signatures. McAfee did not confirm the attack vector’s origin or the number of affected users, though the malware’s broad targeting of financial data underscored potential impacts. The company continued reviewing the sequence of events while external analysts emphasized vigilance against shortened links and false security claims in emails.