A new phishing attack abuses Microsoft Word’s recovery option by sending corrupt Word documents as e-mail attachments. Because of their corrupt status, these documents can bypass security software while the application still restores them.
Threat actors are constantly looking for new ways to bypass email security software and get their phishing emails into the inboxes of targets.
Capitalizing on salary and bonus
A new phishing campaign, discovered by malware hunting company Any.Run, uses intentionally corrupt Word documents as email attachments. These emails appear to come from payroll and human resources departments. BleepingComputer writes this.
These attachments have different themes, but they all revolve around employee benefits and bonuses. Upon opening the attachments, Word detects that the file is corrupted and reports that it found unreadable content. The user is asked if they want to restore the file.
QR code scanning
The attackers damage the phishing documents so that the application easily restores them. They then display a document asking the target to scan a QR code to obtain another document. Criminals often tag the documents with the logo of the attacked company.
Scanning the QR code directs the user to a phishing website posing as a Microsoft login page to steal login credentials. While the ultimate goal of this phishing attack is not new, using corrupt Word documents is a new tactic to evade detection.
Security solutions fail to recognize danger
“Although these files operate successfully within the OS, they remain undetected by most security solutions due to the failure to apply proper procedures for their file types,” explained Any.Run. “They were uploaded to VirusTotal, but all antivirus solutions returned “clean” or “Item Not Found” as they couldn’t analyze the file properly.”
Almost none of the attachments shared with BleepingComputer and used in this campaign have detections on VirusTotal. With only a few exceptions that two vendors recognized.
This may also be due to the fact that no malicious code was attached to the documents, which only show a QR code.
Distrust unknown sender
The general security rules still apply to protect yourself from this phishing attack. If you receive an e-mail from an unknown sender, mainly if it contains attachments, delete it immediately or consult with a network administrator before opening it.