Corrupted Microsoft Office documents and ZIP files are emerging as tools in a sophisticated phishing campaign that successfully evades antivirus detection, as revealed by cybersecurity firm ANY.RUN. This innovative tactic, which has been in play since at least August 2024, involves the deliberate corruption of files to circumvent email security protocols while still allowing for the recovery of harmful content.
Corrupted Microsoft Office files used in new phishing tactic
ANY.RUN’s findings indicate that these corrupted documents are meticulously designed to bypass email filters and antivirus software, enabling phishing emails to reach their intended targets. Unlike traditional malware, these corrupted files escape scrutiny due to their altered state, which impedes standard scanning processes. The phishing campaign cleverly incorporates QR codes within the documents, directing unsuspecting users to counterfeit Microsoft account login pages, often disguised as legitimate communications regarding employee bonuses and benefits.
Analysis of sample documents by ANY.RUN revealed that attachments sent through this method frequently do not trigger any malicious alerts when evaluated with VirusTotal. Scammers have engineered these corrupt files to specifically evade content filters while retaining sufficient integrity for Microsoft Word to recover and display them. This manipulation of file integrity allows attackers to exploit the recovery functionalities of both Microsoft Word and WinRAR, ensuring that when users open these documents, the built-in recovery features render them readable, effectively masking their true malicious intent.
Investigations have categorized this tactic as a potential zero-day exploit, showcasing a sophisticated grasp of software mechanics by the threat actors involved. The ultimate aim is clear: to deceive users into opening these corrupted files, which then activate embedded QR codes that redirect them to fraudulent websites designed to harvest sensitive credentials or deliver malware.
Security experts emphasize the critical need for user awareness in the face of increasingly intricate phishing schemes. Organizations are urged to prioritize security awareness training, particularly for employees who handle communications related to bonuses or other sensitive topics. Such training empowers staff to identify phishing attempts disguised as legitimate correspondence, thereby mitigating the risk of falling prey to these deceptive tactics.
To combat these evolving threats, active measures are being implemented, including the enhancement of email filtering capabilities to detect patterns of file corruption or suspicious content that may not trigger conventional security alerts. In recent years, strategies such as blocking macros in Microsoft Office documents have been adopted to reduce risks associated with similar file exploitation methods. The ongoing evolution of phishing tactics, including the integration of malicious links within QR codes, necessitates adaptive strategies from cybersecurity professionals and organizations alike.
The rising incidence of QR code phishing, commonly referred to as “quishing,” introduces an additional layer of complexity, as many users remain unaware of the potential risks associated with scanning codes. While cybersecurity solutions are increasingly equipped with advanced QR code detection capabilities, the sophistication of these threats means that vulnerabilities may still exist.
Featured image credit: Sasun Bughdaryan/Unsplash
