New Phishing Attack: Damaged Word Files Evade Security

Web Security

A recent discovery has unveiled a new phishing attack technique where attackers cleverly exploit Microsoft Word’s file repair feature. They use corrupted Word documents as email attachments to carry out their attacks. These documents, being in a damaged state, can evade detection by security software, but users can still repair and open them through the application.

 

Cybercriminals are continuously developing new methods to bypass email security software, ensuring that phishing emails reach their intended targets.

 

An overseas cybersecurity company has revealed this wave of new attacks, finding that attackers use deliberately damaged Word documents as attachments, disguised as emails from HR or payroll departments.

 

These malicious attachments come with various subject names, all related to employee benefits and bonuses, such as:

  • Annual_Benefits_&_Bonus_for_[name]_IyNURVhUTlVNUkFORE9NNDUjIw_.docx
  • Annual_Q4_Benefits_&_Bonus_for_[name]_IyNURVhUTlVNUkFORE9NNDUjIw_.docx.bin
  • Benefits_&_Bonus_for_[name]_IyNURVhUTlVNUkFORE9NNDUjIw_.docx.bin
  • Due_&_Payment_for_[name]_IyNURVhUTlVNUkFORE9NNDUjIw_.docx.bin
  • Q4_Benefits_&_Bonus_for_[name]_IyNURVhUTlVNUkFORE9NNDUjIw_.docx.bin

 

These attack documents contain a base64 encoded string “IyNURVhUTlVNUkFORE9NNDUjIw”, which decodes to “##TEXTNUMRANDOM45##”. When users open the attachment, Word displays a prompt indicating “unreadable content” and asks if they want to repair the damaged file.

 

The phishing documents are specially designed to appear damaged but can be easily repaired. Once repaired, they display a page requesting users scan a QR code to access the content. The document applies the target company’s logo to increase credibility. Users who scan the QR code are directed to a fake Microsoft login page to steal their credentials.

 

While phishing attacks to steal credentials are not new, using damaged Word documents to evade security detection is an innovative approach. These files can operate normally within the operating system, but security solutions cannot correctly process them, thus successfully evading detection. When these files are uploaded to VirusTotal, all antivirus software returns “clean” or “no items found” results because they cannot correctly analyze the file content. This attack method is quite effective in achieving its goals.

 

To prevent such phishing attacks, it is essential to follow basic cybersecurity practices. If you receive an email from an unknown sender, especially one with attachments, delete it immediately or confirm with your IT department before opening it.

 

Contact us via live chat or email sales@dataplugs.com to learn more about our DDoS Protection Service Plans.

Filter

CPU Core(s):
Memory Size:
Storage Size:

Close Submit