Breaking: Unprecedented .rtf Attachment (Malware) Attack Impacting Millions

Posted by Annamaria Montagnese on 31 May 2016 12:28:03 AEST

This morning MailGuard is blocking an ongoing run of email attacks with victims totaling in the millions.

The actual email carries a .rtf file attachment which is actually a .docm (Word Macro enabled document) that has been renamed to bypass content scanners.

The scale of this attack is unprecedented, impacting millions of inboxes across the globe.

The emails themselves relate to a variety of different company names, and the enclosed text refers to the attachments in a variety of different ways. In the examples below, you can see the attachment referred to variously as a form, a license or simply as credentials.




The attached documents contain droppers in the form of Word Macros that are designed to download a payload from a remote location.

At the time that this threat was detected by MailGuard, only 2 out of 67 vendors tested were identifying this email as malicious. MailGuard is consistently between 2 to 48 hours ahead of competitors in blocking zero-day or new variants of phishing scams.

What does the dropper download?

A dropper typically downloads ‘.exe’ malware from a remote location. At this point, it really is the luck of the draw. Cybercriminals can program these exploits to download virtually anything, including:

  • Trojans that steal login credentials,
  • Crypto ransomware - This encrypts your files with a private key that cannot be reverse engineered. The victim is forced to pay the ransom to receive the decryption key and regain access to the files.

Here’s how you can defend yourself against the macro malware:

  • Don’t fall for an attempt to convince you to enabling macros for an unexpected attachment.
  • Exercise vigilance and always be suspicious of emails from unknown/unexpected sources.
  • If you receive one of these emails, or one of the many variations that are currently circulating, do not open any attachments or links within the email.

Educating staff and employing cloud-based email and web filtering is your first and best line of defence. Compliment this multilayered defence with updated on premise antivirus, anti-malware and anti-spyware solutions. This will go a long way to mitigating the risk from a wide range of email scams.

Keep up to date on the latest email scams by subscribing to MailGuard’s weekly update or follow us on social media.

Keep Informed with Weekly Updates

^ Back to Top

Topics: Phishing Cyber Criminals email scam Email Spam Scam Crypto Ransomware crypto Macro Macro Word Malware AGL rtf

Back to Blog


    Something Powerful

    Tell The Reader More

    The headline and subheader tells us what you're offering, and the form header closes the deal. Over here you can explain why your offer is so great it's worth filling out a form for.


    • Bullets are great
    • For spelling out benefits and
    • Turning visitors into leads.

    Recent Posts

    Posts by Topic

    see all