The actual email carries a .rtf file attachment which is actually a .docm (Word Macro enabled document) that has been renamed to bypass content scanners.
The scale of this attack is unprecedented, impacting millions of inboxes across the globe.
The emails themselves relate to a variety of different company names, and the enclosed text refers to the attachments in a variety of different ways. In the examples below, you can see the attachment referred to variously as a form, a license or simply as credentials.
The attached documents contain droppers in the form of Word Macros that are designed to download a payload from a remote location.
At the time that this threat was detected by MailGuard, only 2 out of 67 vendors tested were identifying this email as malicious. MailGuard is consistently between 2 to 48 hours ahead of competitors in blocking zero-day or new variants of phishing scams.
What does the dropper download?
A dropper typically downloads ‘.exe’ malware from a remote location. At this point, it really is the luck of the draw. Cybercriminals can program these exploits to download virtually anything, including:
- Trojans that steal login credentials,
- Crypto ransomware - This encrypts your files with a private key that cannot be reverse engineered. The victim is forced to pay the ransom to receive the decryption key and regain access to the files.
Here’s how you can defend yourself against the macro malware:
- Don’t fall for an attempt to convince you to enabling macros for an unexpected attachment.
- Exercise vigilance and always be suspicious of emails from unknown/unexpected sources.
- If you receive one of these emails, or one of the many variations that are currently circulating, do not open any attachments or links within the email.
Educating staff and employing cloud-based email and web filtering is your first and best line of defence. Compliment this multilayered defence with updated on premise antivirus, anti-malware and anti-spyware solutions. This will go a long way to mitigating the risk from a wide range of email scams.
Keep up to date on the latest email scams by subscribing to MailGuard’s weekly update or follow us on social media.