Phishers have come up with a new trick for bypassing email security systems: corrupted MS Office documents.
The spam campaign
Malware hunting service Any.Run has warned last week about email campaigns luring users with promises of payments, benefits and end-of-the-year bonuses.
Recipients are instructed to dowload the attached document – an archive file (ZIP) or an MS Office file (e.g., DOCX) – and open it, but the file is corrupted.
The recipients are then prompted by the application to allow it to recover the contents of the document.
The prompt for allowing document recovery (Source: Any.Run)
Once the recovery process ends and the document is opened, the recipients are instructed to scan a QR code contained in it to access the “secure document”.
But this is just a trick to lead potential victims to a spoofed Microsoft login page created to harvest the login credentials unwitting users enter in it.
Using corrupted documents to stymie email security and antivirus solutions
“Attackers exploit the recovery mechanisms of ‘damaged’ files in a way that corresponding programs like Microsoft Word, Outlook or WinRAR, which have built-in recovery procedures, handle such files without issues,” Any.Run says.
The “corrupted document” trick is aimed at fooling email security solutions.
The corrupted files have also initially not been detected as malicious or were flagged by just a few of the antivirus solutions leveraged by the VirusTotal service. “All antivirus solutions returned ‘clean’ or ‘Item Not Found’ as they couldn’t analyze the file properly,” the company added.
Any.Run says that the attack has been active since August 2024 and is ongoing. “[It] evades antivirus software, prevents uploads to sandboxes, and bypasses Outlook’s spam filters, allowing the malicious emails to reach your inbox.”