Novel attack vector evades anti-phishing security controls

Unnamed threat actors have been observed using a new attack vector that leverages intentionally corrupted Word documents to evade anti-phishing security controls.

The technique helps malicious attachments remain undetected by most security solutions due to their inability to detect phishing URLs and other mechanisms in corrupted documents.

When opened, the malicious attachments, which are usually named to appear as important payroll and HR documents, inform the user that unreadable content has been detected and ask if the user wishes to recover it. After, the document displays the logo of the target’s organization and instructs the user to follow a QR code displayed in the document.

Stay on top of emerging threats.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up

The QR code leads to a fake Microsoft login site that asks for the user’s credentials, which are presumably sent to the threat actor if submitted by the user.

Source: Bleeping Computer

Analysis

QR code phishing is certainly nothing new. Field Effect observes such phishing attempts in our telemetry regularly. It’s effective for two reasons:

1. The image doesn’t contain a URL, so anti-phishing security controls attempting to screen known phishing URLs won’t detect one.
2. When the user scans the QR code with their phone, the attack then moves from the user’s computer to their phone, where anti-phishing controls may not be installed.

While we see QR phishing regularly, the use of corrupt Word files to ultimately display said QR codes is an attack vector we have not yet witnessed. This serves as yet another example of how threat actors can evolve their tactics to increase their chances of success.

Fortunately, phishing is a well-known attack vector and can be mitigated by implementing a combination of administrative security controls, such as phishing awareness training, with technical security controls, such as automatic scanning and URL stripping.

Mitigation

Field Effect’s Security Intelligence team constantly monitors the cyber threat landscape for threats to users that arrive via email. Field Effect MDR users are automatically notified when malicious documents are detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.

Field Effect users are encouraged to submit suspicious emails to Field Effect’s Suspicious Email Analysis Service (SEAS) to ensure they are benign before clicking links or opening an attachment.

Related Articles

• Emerging Mamba 2FA phishing kit biting M365 user accounts
• NK-based APT compromises German missile manufacturer via phishing scam
• ‘Darcula’ phishing service targeting Android and iPhone users
• Strengthening Defenses: Best practices to combat phishing