Just a friendly reminder to make sure you’re only allowing port 80, 443, and maybe 8080 outbound from your network. According to this recent US CERT alert advanced attackers are using email attachments to leverage legitimate Microsoft Office functions to retrieve a document from a remote server using the Server Message Block (SMB) protocol. This sends the user’s credential hash to the remote server prior to retrieving the requested file. (Note: It is not necessary for the file to be retrieved for the transfer of credentials to occur.) The threat actors then likely used password-cracking techniques to obtain the plaintext password.
TCP ports 445 or 139 and UDP ports 137 or 138 (SMB) should only be allowed internally !!!