Corrupted Word Documents Phishing Attacks Avoid Security Checks

Stephanie Adlam
5 Min Read
Scammers Use Corrupted Word Documents In Phishing Attacks
Fraudulent actors found a way to circumvent anti-spam and anti-malware protection

Hackers found a new way of bypassing the email security filters and anti-malware software – corrupted MS Word documents. As usual, they are attached to email messages with lucrative text, and throw people to phishing sites targeting to steal Microsoft account credentials. It is likely possible to extend the trick to other malware spreading tactics that involve MS Office files.

Phishing with Corrupted Microsoft Word Documents

The most recent campaign, discovered by Any.Run researchers, uses a rather unusual tactic. Hackers corrupt the Word file in a specific manner and wrap it into the classic email phishing campaign. This allows the message to bypass spam filters and get to the receiving end.

Phishing message corrupted Word documents

Most of the time, the phishing message pretends to be coming from the user’s employer, about receiving salary bonuses eligible due to the changes in the company’s policy. The attachment is promised to tell more, but when the user tries to open it, they see the message about the file being broken, and an instant offer to recover it.

Corrupted Word documents
Example of a recovered Word document

And that is where the main show begins. Attackers corrupt the Word documents only a little bit, so MS Office will be able to recover it and show the contents. At the same time, antivirus programs can’t handle the broken file properly and are stuck on the scanning process.

The file itself contains some generic information about the person being eligible for payroll bonus, and to receive it, they should follow a QR code from below the text. As the code is not interactive, the user expectedly pulls out their smartphone and scans the QR with the camera app. This opens a phishing page pretending to be Microsoft login.

Corrupted Word documents phishing
Mobile version of a phishing website. Pay attention to URL address.
QR codes appear to be a new trend in malware spreading and phishing attack techniques. We’ve made a comprehensive analysis on threats related to QR codes – go check it out.

This move with QR code is really smart, as anti-malware software will be able to block the phishing page should the user try opening it. But mobile phones do not have such security solutions, with obvious consequences. The only thing that gives away suspicious origins is URL: it is, expectedly, something totally unrelated to Microsoft.

Phishing page Microsoft Login

Certain cases of the attack rely both on the QR code and on the link that is opened in the browser the moment after the “recovered” Word documents appear on screen. Though the resulting page is the same – a phishing login page targeting Microsoft accounts.

Hackers also seem to embed personalized links for each user, most likely to improve the legitimate look of the login page. The user’s email is getting embedded into the link before the message is sent, and the phishing site thus contains the address in the login window.

How to Protect Against It?

As the hackers managed to find a loophole in the security mechanisms, relying on them is not an option in that case. That is why one should stay vigilant when dealing with email messages, especially when they feature broken or otherwise fishy files. We have a separate post about recognizing phishing threats that has everything you need to know.

Always pay attention to URL addresses that you type your credentials on. It may look like a real site, even sound like a real one, but be just a well-made copy with malicious intentions. Nonetheless, the website address will never be the same as on the original site, so a quick check here may prevent a lot of problems.

Not sure whether the site is legit and trustworthy? Consider scanning it with our free Website Reputation Checker! It will return the comprehensive analysis of a page with a clear verdict in less than a minute.
Share This Article
Follow:
I write about how to make your Internet browsing comfortable and safe. The modern digital world is worth being a part of, and I want to show you how to do it properly.
Leave a Comment

AI Assistant

Hello! 👋 How can I help you today?