Another pleasant surprise a short time later was that Dropbox removed the troublesome link.
But we were still confronted with a troubling question: How had this email made it through our spam-filtering protections? Apparently the email team had disabled the Sender Policy Framework setting, which validates that incoming email originates from authorized domains. For example, if an email is purported to originate from computerworld.com but the email header contains an originating domain that is not authorized by computerworld.com as a valid domain, the email would be blocked. The email team had disabled this feature in order to troubleshoot a serious mail delivery problem. Needless to say, that feature was quickly reactivated.
We've also sent an inquiry to our antivirus vendor asking why this ransomware wasn't detected. I'm sure they're going to say it was due to it being a zero-day exploit, but we have to ask. I've also contacted the vendor of our advanced malware-detection tool to ask why it didn't detect and block this, since all downloaded files are supposed to be run in a sandbox, evaluated and then blocked if determined to be malware. They're all good questions to ask, I think, and I'll be interested in what the vendors have to say.
But we got lucky with this one.
No, that's wrong. Security awareness seems to have been our saving grace. It worked just the way it's supposed to.
Sign up for CIO Asia eNewsletters.