7 months ago
7
ARTICLE AD BOX
Identified by cybersecurity firm Any.Run, the campaign involves emails designed to mimic communications from payroll or human resources departments.
A new phishing campaign exploiting Microsoft Word’s file recovery feature has been discovered by cybersecurity firm Any.Run. (Photo: Shutterstock)
Cybersecurity researchers have uncovered a sophisticated phishing campaign that leverages Microsoft Word’s file recovery functionality to bypass email security systems. This newly observed tactic involves sending intentionally corrupted Word documents as email attachments. These attachments evade detection due to their damaged state, though they remain recoverable within the Word application.
The campaign, identified by cybersecurity firm Any.Run, uses emails crafted to appear as communications from payroll or human resources departments. These messages focus on enticing themes related to employee benefits and bonuses, with attachment names such as “Annual_Benefits_&Bonus_for[name]IyNURVhUTlVNUkFORE9NNDUjIw_.docx,” “Q4_Benefits_&Bonus_for[name]IyNURVhUTlVNUkFORE9NNDUjIw_.docx.bin,” and “Due_&Payment_for[name]IyNURVhUTlVNUkFORE9NNDUjIw_.docx.bin.”
Additionally, the attachments all contain a base64-encoded string, “IyNURVhUTlVNUkFORE9NNDUjIw,” which decodes to “##TEXTNUMRANDOM45##”.
When recipients attempt to open the corrupted files, Microsoft Word flags them as unreadable and prompts users to recover the content. Upon recovery, the document displays a message instructing the user to scan a QR code, allegedly to access the full document. The phishing emails also include branding and logos from organisations like the Daily Mail to increase credibility. Scanning the QR code redirects victims to a phishing site mimicking a Microsoft login page, aiming to harvest their credentials.
A novel evasion strategy
While the objective of stealing login credentials is not new, the use of corrupted Word files is a unique approach to evading detection by security systems. According to Any.Run, these files exploit a gap in many security tools’ ability to analyse corrupted file types. “Although these files operate successfully within the OS, they remain undetected by most security solutions due to the failure to apply proper procedures for their file types,” explained the cybersecurity firm.
Analysis of the campaign’s attachments showed that most were flagged as “clean” or “Item Not Found” on VirusTotal, with only a small number being detected by two antivirus vendors. This could be attributed to the absence of malicious code within the documents, which primarily display the QR code.
Experts warn users to exercise caution with unsolicited emails, especially those containing attachments. Emails from unknown senders should be deleted immediately or verified with a network administrator before opening any files.
Last month, another new evasion tactic involving a ZIP file exploit on Windows systems was identified. Cybersecurity provider Perception Point revealed that threat actors are increasingly using ZIP file concatenation to smuggle malware onto corporate networks. This technique takes advantage of the differing ways various ZIP readers and archive managers process concatenated ZIP files, allowing attackers to hide malicious payloads that evade detection by security solutions and mislead analysts relying on standard ZIP tools.
