We've been hit by a few of these in the past few month and they seem to be creating new variants on a daily basis. Not sure how Mail Security (which we're running) would help if these things are being sent out rapid-fire before definitions are updated.
We had a user click a link to:
htt p://marl uci amartins.com.br/ima ges/aqq.ph p (spaces added, and the link is now dead).
In that case, the user ended up with a new variant of SecurityShieldFraud that wasn't detected by even the rapid release defs at the time.
Today's victim had defender.exe dropped in their application data directory after clicking a similar link. There was no prompt to run an application - it just loaded. This one still isn't detected by the rapid release defs.
I submitted a sample (Tracking #19520683) and haven't yet heard back.
We're going to take a machine and try to see what the infection vector is.. we think it might be a java vulnerability because a user got this at home and reported seeing the java console load just before they got hit.