Corrupted Microsoft Office documents and ZIP files are being utilized in a phishing campaign that evades antivirus detection, according to ANY.RUN. This tactic, used since at least August 2024, involves intentionally corrupting files to bypass email security measures while still facilitating the recovery of malicious content.
Corrupted Microsoft Office files used in new phishing tactic
ANY.RUN reported that corrupted documents are crafted to slip past email filters and antivirus software, allowing phishing emails to reach targeted users. Unlike conventional malware, these files aren’t flagged as suspicious due to their corrupted state, which hinders scanning capabilities. The phishing campaign uses QR codes within documents to lead users to fraudulent Microsoft account login pages, mimicking legitimate communication regarding employee bonuses and benefits.
Samples of these documents, analyzed by ANY.RUN, showed that attachments delivered in this manner often yield no malicious flags when tested with VirusTotal. Scammers have developed corrupt documents specifically designed to evade content filters while maintaining enough integrity for Microsoft Word to recover them.
The malicious files used in this campaign are designed to exploit the recovery functionalities of Microsoft Word and WinRAR. By manipulating the integrity of the files, attackers ensure that when users open these documents, the in-built recovery features make the files readable, thereby masking their malicious intent. This technique effectively allows attackers to bypass traditional scanning methods that many security software rely on.
Investigations have identified this as a potential zero-day exploit, demonstrating a sophisticated understanding of software mechanics by threat actors. The goal remains clear: users are deceived into opening these corrupted files, leading to the activation of embedded QR codes that redirect them to fake websites designed to harvest credentials or deliver malware.
Security experts stress the importance of user awareness in the face of increasingly complex phishing attempts. Grimes emphasized the need for security awareness training in organizations, especially when role-specific communications like employee bonuses serve as the bait for phishing schemes. “You don’t want the real scammers to be the only ones phishing your co-workers this way,” he stated.
Active measures to combat these threats include enhancing email filtering capabilities to detect patterns of file corruption or suspicious content that may not trigger traditional security alerts. In recent years, strategies such as blocking macros in Microsoft Office documents have been implemented to mitigate risks from similar methods of file exploitation. The continuous evolution of phishing tactics, such as embedding malicious links in QR codes, necessitates adaptive strategies from cybersecurity professionals and organizations alike.
The increasing prevalence of QR code phishing, also known as “quishing,” adds another layer of complication, with many users unaware of the risks associated with scanning codes. Cybersecurity solutions are becoming equipped with enhanced QR code detection measures, yet the sophistication of threats means potential vulnerabilities persist.
Featured image credit: Sasun Bughdaryan/Unsplash
