In a striking evolution of phishing tactics, a recent campaign has emerged that cleverly exploits Microsoft’s Word file recovery feature. This innovative approach involves sending corrupted Word documents as email attachments, allowing them to slip past conventional security measures while remaining recoverable by the application itself.
New Phishing Tactics
The malware hunting firm Any.Run has identified this novel phishing scheme, which masquerades as communications from payroll and human resources departments. The attachments are designed to appear legitimate, featuring themes centered around employee benefits and bonuses. Examples of these deceptive filenames include:
- AnnualBenefits&Bonusfor[name]IyNURVhUTlVNUkFORE9NNDUjIw.docx
- AnnualQ4Benefits&Bonusfor[name]IyNURVhUTlVNUkFORE9NNDUjIw_.docx.bin
- Benefits&Bonusfor[name]IyNURVhUTlVNUkFORE9NNDUjIw_.docx.bin
- Due&Paymentfor[name]IyNURVhUTlVNUkFORE9NNDUjIw_.docx.bin
- Q4Benefits&Bonusfor[name]IyNURVhUTlVNUkFORE9NNDUjIw.docx.bin
Each document contains a base64 encoded string that decodes to “##TEXTNUMRANDOM45##.” When a recipient attempts to open one of these attachments, Microsoft Word detects the corruption and prompts the user with a message indicating it has “found unreadable content,” offering the option to recover the file.
Upon recovery, the document instructs the user to scan a QR code to access further information. Notably, these documents are often branded with the logos of the targeted companies, enhancing their deceptive credibility. For instance, one campaign specifically targeted employees of the Daily Mail.
Scanning the QR code directs users to a phishing site that mimics a Microsoft login page, aiming to harvest sensitive credentials. This method, while not entirely new in intent, represents a fresh approach in execution, leveraging corrupted files to evade detection.
According to Any.Run, the success of these phishing documents lies in their ability to operate within the operating system without triggering alarms from most security solutions. The firm noted that when these files were uploaded to VirusTotal, the majority returned “clean” or “Item Not Found,” as they could not be analyzed correctly due to their corrupted state.
Despite the absence of malicious code within the documents themselves—merely displaying a QR code—these attachments have proven effective in achieving their objectives. The general principles of cybersecurity remain paramount in defending against such threats. Users are advised to exercise caution when receiving emails from unknown senders, particularly those containing attachments, and to verify their legitimacy with network administrators before taking any action.
