A novel phishing assault abuses Microsoft’s Phrase file restoration characteristic by sending corrupted Phrase paperwork as e mail attachments, permitting them to bypass safety software program because of their broken state however nonetheless be recoverable by the applying.
Risk actors continually search for new methods to bypass e mail safety software program and land their phishing emails in targets’ inboxes.
A brand new phishing marketing campaign found by malware searching agency Any.Run makes use of deliberately corrupted Phrase paperwork as attachments in emails that faux to be from payroll and human assets departments.
Source: BleepingComputer
These attachments use a variety of themes, all revolving round worker advantages and bonuses, together with:
Annual_Benefits_&_Bonus_for_[name]_IyNURVhUTlVNUkFORE9NNDUjIw__.docx
Annual_Q4_Benefits_&_Bonus_for_[name]_IyNURVhUTlVNUkFORE9NNDUjIw__.docx.bin
Benefits_&_Bonus_for_[name]_IyNURVhUTlVNUkFORE9NNDUjIw__.docx.bin
Due_&_Payment_for_[name]_IyNURVhUTlVNUkFORE9NNDUjIw__.docx.bin
Q4_Benefits_&_Bonus_for_[name]_IyNURVhUTlVNUkFORE9NNDUjIw__.docx.bin
The paperwork on this marketing campaign all embody the base64 encoded string “IyNURVhUTlVNUkFORE9NNDUjIw,” which decodes to “##TEXTNUMRANDOM45##”.
When opening the attachments, Phrase will detect that the file is corrupted and state that it “discovered unreadable content material” within the file, asking when you want to recuperate it.
Supply: BleepingComputer
These phishing paperwork are corrupted in such a means that they’re simply recoverable, displaying a doc that tells the goal to scan a QR code to retrieve a doc. As you’ll be able to see beneath, these paperwork are branded with the logos of the focused firm, such because the marketing campaign focusing on Every day Mail proven beneath.
Supply: BleepingComputer
Scanning the QR code will deliver the consumer to a phishing web site that pretends to be a Microsoft login, making an attempt to steal the consumer’s credentials.
Supply: BleepingComputer
Whereas the final word aim of this phishing assault is nothing new, its use of corrupted Phrase paperwork is a novel tactic used to evade detection.
“Though these information function efficiently inside the OS, they continue to be undetected by most safety options because of the failure to use correct procedures for his or her file sorts,” explains Any.Run.
“They have been uploaded to VirusTotal, however all antivirus options returned “clear” or “Merchandise Not Discovered” as they could not analyze the file correctly.”
These attachments have been pretty profitable in reaching their aim.
From attachments shared with BleepingComputer and used on this marketing campaign, nearly all have zero detections [1, 2, 3, 4] on VirusTotal, with just some [1] detected by 2 distributors.
On the identical time, this is also brought on by the truth that no malicious code has been added to the paperwork, and so they merely show a QR code.
The final guidelines nonetheless apply to guard your self towards this phishing assault.
When you obtain an e mail from an unknown sender, particularly if it comprises attachments, it needs to be deleted instantly or confirmed with a community admin earlier than opening it.