Novel phishing campaign uses corrupted Word documents to evade security
- by nlqip
A novel phishing attack abuses Microsoft’s Word file recovery feature by sending corrupted Word documents as email attachments, allowing them to bypass security software due to their damaged state but still be recoverable by the application.
Threat actors constantly look for new ways to bypass email security software and land their phishing emails in targets’ inboxes.
A new phishing campaign discovered by malware hunting firm Any.Run utilizes intentionally corrupted Word documents as attachments in emails that pretend to be from payroll and human resources departments.
These attachments use a wide range of themes, all revolving around employee benefits and bonuses, including:
Annual_Benefits_&_Bonus_for_[name]_IyNURVhUTlVNUkFORE9NNDUjIw__.docx
Annual_Q4_Benefits_&_Bonus_for_[name]_IyNURVhUTlVNUkFORE9NNDUjIw__.docx.bin
Benefits_&_Bonus_for_[name]_IyNURVhUTlVNUkFORE9NNDUjIw__.docx.bin
Due_&_Payment_for_[name]_IyNURVhUTlVNUkFORE9NNDUjIw__.docx.bin
Q4_Benefits_&_Bonus_for_[name]_IyNURVhUTlVNUkFORE9NNDUjIw__.docx.bin
The documents in this campaign all include the base64 encoded string “IyNURVhUTlVNUkFORE9NNDUjIw,” which decodes to “##TEXTNUMRANDOM45##”.
When opening the attachments, Word will detect that the file is corrupted and state that it “found unreadable content” in the file, asking if you wish to recover it.
These phishing documents are corrupted in such a way that they are easily recoverable, displaying a document that tells the target to scan a QR code to retrieve a document. As you can see below, these documents are branded with the logos of the targeted company, such as the campaign targeting Daily Mail shown below.
Scanning the QR code will bring the user to a phishing site that pretends to be a Microsoft login, attempting to steal the user’s credentials.
While the ultimate goal of this phishing attack is nothing new, its use of corrupted Word documents is a novel tactic used to evade detection.
“Although these files operate successfully within the OS, they remain undetected by most security solutions due to the failure to apply proper procedures for their file types,” explains Any.Run.
“They were uploaded to VirusTotal, but all antivirus solutions returned “clean” or “Item Not Found” as they couldn’t analyze the file properly.”
These attachments have been fairly successful in achieving their goal.
From attachments shared with BleepingComputer and used in this campaign, almost all have zero detections [1, 2, 3, 4] on VirusTotal, with only some [1] detected by 2 vendors.
At the same time, this could also be caused by the fact that no malicious code has been added to the documents, and they simply display a QR code.
The general rules still apply to protect yourself against this phishing attack.
If you receive an email from an unknown sender, especially if it contains attachments, it should be deleted immediately or confirmed with a network admin before opening it.
Source link
lol
A novel phishing attack abuses Microsoft’s Word file recovery feature by sending corrupted Word documents as email attachments, allowing them to bypass security software due to their damaged state but still be recoverable by the application. Threat actors constantly look for new ways to bypass email security software and land their phishing emails in targets’…
Recent Posts
- AWS Removes Financial Cap For Partners In MAP Program
- AWS re:Invent 2024: 7 New Partner Offers For SAP, AI Security And MAP Funding
- Interim Intel Co-CEO: ‘The Core Strategy Remains Intact’
- Meet New Intel Products CEO Michelle Holthaus: 5 Big Things To Know
- Amazon Nova AI Models And New ‘Killer Feature’ In Bedrock Are Huge AWS Partner Opportunities