DE
DE EN
DE
DE EN
Kontakt
Anmeldung
Themen
Finanzen & Versicherung
Handel
Industrie
IT & Beratung
Tourismus
Transport
Recht
Öffentlich

Neuartige Phishing-Kampagne nutzt manipulierte Word-Dokumente, um die Sicherheit zu umgehen

0
Teilen:

A novel phishing attack abuses Microsoft’s Word file recovery feature by sending corrupted Word documents as email attachments, allowing them to bypass security software due to their damaged state but still be recoverable by the application.

Threat actors constantly look for new ways to bypass email security software and land their phishing emails in targets’ inboxes.

A new phishing campaign discovered by malware hunting firm Any.Run utilizes intentionally corrupted Word documents as attachments in emails that pretend to be from payroll and human resources departments.

Phishing email
Phishing email
S​​​​​ource: BleepingComputer

These attachments use a wide range of themes, all revolving around employee benefits and bonuses, including:

Annual_Benefits_&_Bonus_for_[name]_IyNURVhUTlVNUkFORE9NNDUjIw__.docx
Annual_Q4_Benefits_&_Bonus_for_[name]_IyNURVhUTlVNUkFORE9NNDUjIw__.docx.bin
Benefits_&_Bonus_for_[name]_IyNURVhUTlVNUkFORE9NNDUjIw__.docx.bin
Due_&_Payment_for_[name]_IyNURVhUTlVNUkFORE9NNDUjIw__.docx.bin
Q4_Benefits_&_Bonus_for_[name]_IyNURVhUTlVNUkFORE9NNDUjIw__.docx.bin

The documents in this campaign all include the base64 encoded string “IyNURVhUTlVNUkFORE9NNDUjIw,” which decodes to “##TEXTNUMRANDOM45##”.

When opening the attachments, Word will detect that the file is corrupted and state that it “found unreadable content” in the file, asking if you wish to recover it.

Corrupted Word document sent in phishing emails
Corrupted Word document sent in phishing emails
Quelle: BleepingComputer

These phishing documents are corrupted in such a way that they are easily recoverable, displaying a document that tells the target to scan a QR code to retrieve a document. As you can see below, these documents are branded with the logos of the targeted company, such as the campaign targeting Daily Mail shown below.

Scanning the QR code will bring the user to a phishing site that pretends to be a Microsoft login, attempting to steal the user’s credentials.

While the ultimate goal of this phishing attack is nothing new, its use of corrupted Word documents is a novel tactic used to evade detection.

“Although these files operate successfully within the OS, they remain undetected by most security solutions due to the failure to apply proper procedures for their file types,” explains Any.Run.

“They were uploaded to VirusTotal, but all antivirus solutions returned “clean” or “Item Not Found” as they couldn’t analyze the file properly.”

These attachments have been fairly successful in achieving their goal.

From attachments shared with BleepingComputer and used in this campaign, almost all have zero detections [1, 2, 3, 4] on VirusTotal, with only some [1] detected by 2 vendors.

At the same time, this could also be caused by the fact that no malicious code has been added to the documents, and they simply display a QR code.

The general rules still apply to protect yourself against this phishing attack.

If you receive an email from an unknown sender, especially if it contains attachments, it should be deleted immediately or confirmed with a network admin before opening it.

Quelle

Kommentar verfassen

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert

lade-bild
London, GB
12:03 pm, Apr. 22, 2025
Wetter-Symbol 15°C
L: 14° | H: 17°
broken clouds
Luftfeuchtigkeit: 57 %
Druck: 1017 mb
Wind: 10 mph W
Windböe: 14 mph
UV-Index: 0
Niederschlag: 0 mm
Wolken: 80%
Regen Chance: 0%
Sichtbarkeit: 10 km
Sonnenaufgang: 5:49 am
Sonnenuntergang: 8:07 pm
TäglichStündlich
Tägliche VorhersageStündliche Vorhersage
Today 10:00 pm
Wetter-Symbol
14° | 17°°C 0 mm 0% 11 mph 76 % 1017 mb 0 mm/h
Tomorrow 10:00 pm
Wetter-Symbol
8° | 11°°C 1 mm 100% 12 mph 94 % 1018 mb 0 mm/h
Do. Apr. 24 10:00 pm
Wetter-Symbol
8° | 16°°C 0.71 mm 71% 5 mph 91 % 1023 mb 0 mm/h
Fr. Apr. 25 10:00 pm
Wetter-Symbol
8° | 17°°C 0.2 mm 20% 7 mph 90 % 1023 mb 0 mm/h
Sa. Apr. 26 10:00 pm
Wetter-Symbol
11° | 18°°C 1 mm 100% 7 mph 98 % 1023 mb 0 mm/h
Today 1:00 pm
Wetter-Symbol
15° | 16°°C 0 mm 0% 8 mph 58 % 1017 mb 0 mm/h
Today 4:00 pm
Wetter-Symbol
15° | 16°°C 0 mm 0% 10 mph 52 % 1017 mb 0 mm/h
Today 7:00 pm
Wetter-Symbol
14° | 14°°C 0 mm 0% 11 mph 56 % 1016 mb 0 mm/h
Today 10:00 pm
Wetter-Symbol
10° | 10°°C 0 mm 0% 7 mph 76 % 1016 mb 0 mm/h
Tomorrow 1:00 am
Wetter-Symbol
10° | 10°°C 0 mm 0% 7 mph 77 % 1014 mb 0 mm/h
Tomorrow 4:00 am
Wetter-Symbol
9° | 9°°C 1 mm 100% 10 mph 94 % 1012 mb 0 mm/h
Tomorrow 7:00 am
Wetter-Symbol
8° | 8°°C 1 mm 100% 11 mph 93 % 1011 mb 0 mm/h
Tomorrow 10:00 am
Wetter-Symbol
8° | 8°°C 1 mm 100% 9 mph 93 % 1012 mb 0 mm/h
Wetter von OpenWeatherMap
Name Preis24H (%)
Bitcoin(BTC)
€76,823.87
1.36%
Ethereum(ETH)
€1,412.77
-0.41%
Fesseln(USDT)
€0.87
0.00%
XRP(XRP)
€1.82
-1.18%
Solana(SOL)
€121.33
-0.13%
USDC(USDC)
€0.87
0.01%
Dogecoin(DOGE)
€0.142601
1.46%
Shiba Inu(SHIB)
€0.000011
-1.05%
Pepe(PEPE)
€0.000007
2.57%
Risikomonitor
Erkennen und überwachen Sie IT-Schwachstellen mit nur einem Klick, bevor es zu spät ist.

Verbindung zum Dienstprogramm

Nützlicher Link

Newsletter

Folgen Sie uns

Facebook Twitter Youtube Linkedin

© 2025 risikomonitor.com gmbh

Nach oben scrollen