A new phishing campaign has been discovered and warnings have been issued due to its use of corrupted Microsoft Word documents to bypass email security software.

This approach exploits Word's file recovery feature, allowing the malicious files to evade detection while remaining accessible to the targeted victims.

The phishing attack begins with emails purporting to be from payroll or human resources departments. These emails include attachments with enticing filenames, suggesting sensitive content related to employee bonuses or benefits.

Examples of filenames used in the campaign include:

• Annual_Benefits_&Bonus_for[name]IyNURVhUTlVNUkFORE9NNDUjIw_.docx

• Q4_Benefits_&Bonus_for[name]IyNURVhUTlVNUkFORE9NNDUjIw_.docx.bin

• Due Payment for[name]IyNURVhUTlVNUkFORE9NNDUjIw_.docx.bin

If you come across anything that resembles the above, take extra caution as each file contains malicious code. When the victim attempts to open the attachment, Microsoft Word detects the file as corrupted and prompts the recipient to recover its content.

Once recovered, the corrupted Word document displays a convincing message, complete with the branding of the targeted organisation. It instructs the recipient to scan a QR code to retrieve additional information. Scanning the QR code directs the user to a credential harvester designed to mimic Microsoft's login page.

This phishing campaign's success lies in its ability to evade detection by most security tools. These tools have been observed failing to apply proper procedures or analysis to the file type. This is due to the corrupted nature of the attachments. This makes the campaign particularly challenging to detect and stop.

While the methodology may be new, the general rules for protecting yourself against phishing attacks still apply:

• Verify the sender: be cautious of emails from unknown senders, especially those claiming to contain sensitive information.

• Scrutinise attachments: avoid opening unexpected email attachments, even if they appear to come from a trusted source.

• Check before you click: do not scan QR codes or click links without verifying their authenticity.

  
  

This phishing campaign presents an interesting evolution in threat actor tactics. The exploitation of Microsoft Word’s file recovery feature to bypass conventional email security systems demonstrates the increasing creativity of threat actors and their ability to exploit trust in widely used software applications.

This tactic highlights a gap in common security tools. Traditional signature-based solutions are insufficient against these types of zero-payload attacks, emphasising the need for behavioural analysis tools and user education.

Furthermore, this attack underscores the persistent vulnerability of end-users to social engineering. By mimicking payroll and HR-related communications - common and sensitive subjects - threat actors increase the likelihood of success, especially in sectors where employees may feel compelled to act quickly without verifying the authenticity of such emails.

As ever, caution should be taken for any email containing attachments that appear corrupted or prompt recovery processes. Users should refrain from scanning QR codes or entering credentials unless the authenticity of the request can be verified independently.

Reporting

Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to report@phishing.gov.uk. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).