June 4, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Multiple WordPress Plugins Vulnerabilities
December 2, 2024
Multiple Microsoft SQL Vulnerabilities
December 2, 2024
Multiple WordPress Plugins Vulnerabilities
December 2, 2024
Multiple Microsoft SQL Vulnerabilities
December 2, 2024
Severity
High
Analysis Summary
Microsoft's Word file recovery function is abused in a new phishing attack campaign that sends corrupted Word documents as email attachments. This allows the documents to go past security measures because they are damaged but still recoverable by the program.
Threat actors are always trying to find new ways to get past email protection software and get their phishing emails into the inboxes of their targets. Researchers found a new phishing campaign that uses purposefully corrupted Word documents as attachments in emails posing as human resources and payroll agencies.
These files cover a wide range of topics, many of which center on bonuses and benefits for employees. This campaign's documents all include the base64-encoded string "IyNURVhUTlVNUkFORE9NNDUjIw," which decodes to "##TEXTNUMRANDOM45##". Word will identify corrupted files when you open attachments and ask if you want to recover the "unreadable content" in the file. These phishing documents are so easily recovered that they display a document instructing the target to scan a QR code to obtain the document. These documents, like the campaign aimed at Daily Mail, are tagged with the logos of the targeted companies, as seen below.
When the user scans the QR code, they will be taken to a phishing website that attempts to steal their login credentials by impersonating a Microsoft account. Although this phishing attack's ultimate objective is not new, its use of corrupted Word documents is a fresh strategy for avoiding detection. Because most security solutions do not follow the correct protocols for their file types, these files continue to function correctly within the operating system.
All antivirus programs reported "clean" or "Item Not Found" when they were uploaded to VirusTotal since they were unable to adequately analyze the file. The purpose of these attachments has been achieved with some degree of success. Only a few of the attachments that researchers shared that were used in this campaign were detected by two vendors, and nearly all of them had zero detections. However, the fact that the documents only show a QR code and no harmful code has been inserted could also be the reason for this.
Users can still defend themselves against this phishing attempt by following the standard guidelines. Users should delete emails from unknown senders right away or get confirmation from a network administrator before viewing them, especially if they include attachments.
Impact
- Security Bypass
- Credential Theft
Indicators of Compromise
MD5
- 1d334faf2c8988c418e86eef56880a34
SHA-256
- bd15a28702d654446ab118d30687074979280444b64f6dbaa6345e5f92c78938
SHA1
- 67191d49867dcbceedd97b56a1c0f2687df99fef
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets.
- Patch and upgrade any platforms and software timely and make it into a standard security policy.
- Employ network intrusion detection and prevention systems to monitor and block malicious network activities.
- Implement network segmentation to limit lateral movement for attackers within the network.
- Never trust or open links and attachments received from unknown sources/senders.
- Implement advanced email filtering to detect and block phishing emails.
- Employ updated and robust endpoint protection solutions to detect and block malware.
- Develop and test an incident response plan to ensure a swift and effective response to security incidents.
- Enhance logging and monitoring capabilities to detect anomalous activities and unauthorized access.
- Conduct regular security audits and penetration testing to identify and address potential vulnerabilities.
- Regularly back up critical data and ensure that backup and recovery procedures are in place.
