Say No to OWA Security Upgrade

Today we began seeing a large malware campaign from the Storm Worm. Yes, I said it, the Storm Worm. We haven't really seen much from this variant lately, unless you count its rebirth under the Waledac moniker, but not everybody does. I do believe these are written by the same team, however. Though I was under the impression that the old version had been ditched for the new, but I guess they've swept the dust off and gave it another go.This campaign is very similar to one we saw two days ago from the same worm with subtle differences in the body of the email that delivers the link to the malicious payload. On Monday, the emails pretended to be from your domain's engineering team informing you of "Server Upgrades" that were taking place and provided you with a link to expedite the process. Today's attack utilizes tokens to personalize the email to make it appear as if it is also coming from within your domain. This time apparently our technical support team made some security changes in "my" mailbox and I need to click the provided link to apply them. If they want changes made, I think they should just apply them themselves, heck, they've got the uber admin passwords already, but ok whatever, I'll bite - "click".Next I find myself on a webpage that mimics an Outlook Web Access sign on page, once again personalized to appear to be specifically for my domain, though I will say it looks slightly odd. Instead of giving you the normal log in and password fields, they are replaced by a link to download the file settings-file.exe. Once executed the host computer is then infected with Nuwar.
The Storm Worm is a mass mailing worm that harvests email addresses and mails itself to every address it finds. Once a PC is infected it becomes part of the botnet, and detection and sterilization becomes very difficult. Avoid these.