A new phishing campaign has been observed corrupting Microsoft Word documents to bypass email security systems and trick users into sharing sensitive information.
The campaign targets victims with emails impersonating payroll or HR departments, promising employee benefits or bonuses to lure recipients into opening malicious attachments.
These emails feature attachments named to appear legitimate, such as:
-
Annual_Benefits_&Bonus_for[name].docx
-
Due_&Payment_for[name].docx.bin
-
Q4_Benefits_&Bonus_for[name].docx.bin
When opened, the files prompt Microsoft Word’s recovery mode, which reconstructs the document and displays instructions to scan a QR code. Scanning the code redirects users to a fake Microsoft login page designed to harvest login credentials.
Read more on QR code-powered scams: New Generation of Malicious QR Codes Uncovered by Researchers
Researchers at Any.Run identified the campaign, highlighting its innovative use of corrupted files on X (formerly Twitter) last week.
🚨ALERT: Potential ZERO-DAY, Attackers Use Corrupted Files to Evade Detection 🧵 (1/3)
— ANY.RUN (@anyrun_app) November 25, 2024
⚠️ The ongoing attack evades #antivirus software, prevents uploads to sandboxes, and bypasses Outlook's spam filters, allowing the malicious emails to reach your inbox
The #ANYRUN team… pic.twitter.com/0asnG72Gm9
Unlike traditional phishing techniques, these attachments contain no malicious code, making them appear safe to most antivirus software and detection tools. Many of the files uploaded to VirusTotal were flagged as clean or went undetected entirely.
The success of this campaign lies in its exploitation of the gap between how operating systems process damaged files and how security tools analyze them.
“These files operate successfully within the OS but remain undetected due to the failure to apply proper procedures for their file types,” Any.Run researchers explained.
Tips to Protect Against Phishing
To stay safe from such threats, firms and individuals should consider these best practices:
-
Be cautious of unexpected emails with attachments, even if they seem work related
-
Verify the authenticity of emails with senders before opening attachments
-
Use sandbox environments or advanced detection tools to analyze suspicious files
The campaign has reportedly been active since August and demonstrates the growing sophistication of phishing techniques. Vigilance and robust cybersecurity measures remain crucial to staying protected.
Image credit: Alex Photo Stock / Shutterstock.com