Sigh… here we go again.
The scammers keep innovating, and so we keep having to say it: there’s another new phishing tactic on the rise, and this one’s a stinker.
This new phishing tactic has been getting past spam filters and tricking professionals worldwide, taking advantage of both human nature and advancing “good” tech to fool you and attack your business. Here’s what you need to know about how scammers are using corrupted file attachments to attack businesses like yours.
How It Starts: A Corrupted Word File (or Similar)
This new attack starts with a corrupted file, often a Microsoft Word document file (.docx). It looks like a real file, and it may even seem like it was sent by someone or some entity you trust.
Now, if you’ve been at this a while, you already know the old advice not to trust email attachments. But that advice was largely about executables, those .exe files that would not-so-subtly install new malicious software onto your system. These days you pretty much can’t get away with emailing a .exe attachment, even if it’s legit— that attack window is largely closed. We aren’t exactly primed to consider that even Word documents could be a threat.
But this new version is different: the attachment looks like a Word document because that’s more or less what it is. And the file itself may be harmless in the sense that it isn’t going to infect your machine with malware.
How the Scam Gets Through
Essentially, spam filters and email security filters scan the contents of incoming emails and quarantine the ones that seem most likely to be illegitimate.
The problem here is that those filters can’t read this file, because it’s corrupted. They try to read it and get back gibberish more or less, and so they don’t know to block the file.
Still, so far we haven’t gotten to anything dangerous. A file your computer can’t read isn’t any threat…right?
No, not quite right in fact.
How the File Turns Malicious
Microsoft Word has this helpful little feature where, if a document gets messed up while you’re working on it (maybe your PC crashes mid-sentence), Word can try to repair that file, restoring what you’d written and returning you to your normal workflow.
In this scam, the bad guys take advantage of this good and helpful feature in Word. They scramble the file so that spam filters can’t read or recognize it, but not so badly that Word can’t fix it.
So, when you try to open the email attachment, it won’t work at first. But Word will ask if you want to repair it, and if you say “yes,” you’ll more than likely have a fully functioning document open in front of you.
Now the bad guys can’t exactly write executable code inside a Word document (as far as we know!). But they can revert to their tried and true phishing techniques inside the document, because remember: the filter that should’ve picked up on those techniques couldn’t read the file.
So you’ll probably see a link or a QR code in the Word doc, usually with some kind of urgent instruction telling you to click or scan.
That’s when we re-enter familiar phishing waters. You’ll be redirected to some kind of login screen that’s trying to steal your credentials. Try to log in there, and now the bad guys can attempt to log in using that username and password, and your system could be compromised.
(By the way: many other apps have similar “repair file” capabilities, so watch for this scam to spread to other file types.)
How to Stay Safe
So how can you stay safe from this new threat? Try these tactics:
- Don’t trust email attachments or click links inside them. If something is really that urgent, it will still be there if you log into that service the normal way, not from the suspicious link.
- Be skeptical of urgent instructions from anyone; especially from businesses.
- Contact the sender via another means to make sure the message is really from who it seems to be.
That’s it for this week. Need help tightening up your email security? We’ve got you— reach out anytime.