A new phishing campaign uses corrupted Word documents to evade detection and steal credentials.
Cybersecurity researchers have identified a new phishing campaign that uses corrupted Microsoft Word documents to bypass email security systems. The phishing emails, disguised as communications from payroll or human resources departments, include damaged Word attachments. These attachments evade detection by security software due to their corrupted state but remain recoverable when opened in Microsoft Word.
The campaign, discovered by malware hunting firm Any.Run, uses enticing themes such as employee benefits and bonuses to lure victims into opening the attachments.
The phishing emails use attachment names that suggest they contain information about annual benefits or payments, such as:
These file names include a hidden code that seems harmless. When the attachment is opened, Word detects unreadable content and prompts the user to repair the file. The repaired document displays a QR code with the company’s logo, instructing the user to scan it for more details.
Scanning the QR code directs the user to a fake Microsoft login page designed to steal their credentials. These files don’t contain malicious code, making them hard for antivirus software to detect, as noted by Any.Run: "These files operate successfully within the system and evade most security solutions."
According to Any.Run, this tactic takes advantage of the documents' corrupted state to slip past security protocols. Reports indicate that the attachments in this campaign were rarely flagged on platforms like VirusTotal, with many antivirus tools labeling them as "clean" or failing to analyze them altogether.
Their success is partly attributed to the lack of embedded malicious code in the files, as the attachments primarily serve as a vehicle to lead victims to the phishing site.
This campaign shows how attackers are constantly adapting to outsmart security tools, using creative methods like corrupted Word documents to avoid detection. By relying on everyday tools like document repair features and QR codes, they make their attacks feel legitimate to unsuspecting users. As these tactics become more sophisticated, staying alert and questioning unexpected emails or attachments is fundamental for protecting sensitive information.
Phishing is a cyberattack where criminals trick individuals into sharing sensitive information, such as passwords or financial details, by posing as legitimate entities.
Corrupted Word documents bypass email security systems because they appear non-malicious, making it harder for antivirus tools to detect them.
When Word detects unreadable content, it offers to repair the document. Phishers exploit this feature to display harmful content, like QR codes leading to fake websites.
Look for unknown senders, unusual requests, or unexpected attachments, especially with generic names like "Annual Benefits." Always confirm with your IT team before opening such files.