Inform your HR departments, internal recruiting teams, and hiring managers to be on the lookout for emails that come from someone submitting a resume for an open position in your firm. Why? There has been a significant increase in the use of this type of email attack to deliver malware.
What makes these emails different? Although these email appear to be similar to ones you have seen or even been the recipient of in the past, they differ quite a bit. How? The document attached to the email is password protected using native security features found within Microsoft Word. In the body of the email the password is conveniently provided to the user so they can easily open the document. After opening the document the user is presented with a page that indicates the document is further protected and macros need to be enabled to view it. When enabling the macros, a Microsoft self-extracting executable is downloaded and unpacks a Remote Access Trojan.
All of these techniques result in a pretty sophisticated phishing attack. Couple these techniques with pretty simple and effective language used in the body of the email, there is a good chance someone in your firm will become a victim.
(If you were wondering why it is possible for the word document to bypass email filters, here is some simple information. Email filters have a hard time inspecting encrypted attachments. Due to this, encrypted attachments may be allowed to bypass email filters, especially if no rule exists to explicitly block them.)
Recommendation
Elteni recommends that users remain vigilant and ensure they are analyzing each email with some level of detail. Some other recommendations include:
- Avoid opening attachments from untrusted sources
- Set up email filters to quarantine encrypted documents so they can be reviewed first
- Ensure endpoint protection solutions are running on all devices
- If possible, configure Microsoft Products to always display prompts when macros are available
- Train your employees to detect phishing attacks
