Alert! Microsoft Word documents used in dangerous phishing campaign

It doesn’t matter that you have a powerful antivirus installed, or that you use a sandbox before running dangerous files. Cybercriminals are finding new ways to breach defenses. A new phishing technique bypasses these protections, using corrupted Word documents.

The security firm any.run has discovered a phishing attack that evades antivirus, and does not allow it to run on a sandboxusing Corrupt Word documents which supposedly include payroll bonuses, extra pay, bonuses, and other hooks.

The attack is aimed at employees of certain companies, since the Word documents have the companies’ logo, and even real photos of the employees to appear more real. Let’s see how this scam works.

The new phishing attack with corrupt Word documents

As any.run has been able to verify, These documents were sent to company employees from a fake email that simulated the administration or payroll department of said company.

Microsoft Word files are detected as clean by antivirus, and produce an error when trying to open them in a sandboxbecause they are corrupt.

However, even though it contains errors, Microsoft Word can open them. A message then appears stating that the attached document has been corrupted, and shows a QR code to be able to download it again.

A Word file cannot contain viruses, but a QR code can lead to a website that does. As happens in this case. The QR points to a website that simulates the payroll department, where asks to log in with the company account.

By doing so, cybercriminals steal the account username and password, gaining access to the company.

The remarkable thing about this new phishing technique is how it bypasses security. The Word document has been corrupted on purposein such a way that antivirus identifies it as a corrupt compressed file. When they try to decompress it, they cannot do so, so they classify it as a useless file and, therefore, harmless.

However, corruption is only partialgenerated in such a way that Microsoft Word can partially read the text file, to display the message and the QR code.

Protection against this type of phishing is always the same: Do not download files from any link or QR code that arrives by emailuntil its origin is verified.

Use corrupt Word documents to bypass the antivirus, without completely damaging the fileis a very intelligent technique, which requires great skill to carry out.

Get to know how we work in ComputerToday.

Tags: Viral, Microsoft, Virus, phishing, Microsoft Office