Introduction
A sophisticated phishing campaign has been identified [5] [7], exploiting Microsoft Word’s recovery feature by using intentionally corrupted DOCX documents. This method allows the documents to bypass security software while remaining recoverable, posing a significant threat to individuals targeted through fraudulent emails.
Description
A sophisticated phishing campaign has been identified that exploits Microsoft Word’s recovery feature by sending intentionally corrupted DOCX documents as email attachments. This tactic allows these documents to bypass security software due to their damaged state while remaining recoverable by the application [3]. The campaign specifically targets individuals through fraudulent emails that impersonate payroll or HR departments, often claiming to provide information about salary bonuses or employee benefits due to company policy changes [6]. Subject lines related to “Annual Bonuses” and enticing offers of employee benefits encourage recipients to open the malicious attachments. The filenames are crafted to suggest common HR-related themes [7], such as “AnnualBenefits[name [4] [5]].docx” and “Q4Benefits[name [4] [5] [7]].docx.bin.” These corrupted files are designed to evade detection by email filters and antivirus software, as they prevent proper launching in sandbox environments while remaining recoverable through Microsoft Word.
Upon opening [4] [5] [9], the corrupt files trigger Microsoft Word’s recovery mode [5], prompting users to restore the document [1]. This process leads to a reconstructed file that displays the logo of the targeted organization and instructs users to scan a QR code, directing them to a counterfeit Microsoft login page designed to capture their login credentials [4]. The content of the corrupted Word file typically includes generic information about payroll bonuses [6], enhancing the likelihood that users will engage with the phishing attempt. Cybersecurity experts have noted that this campaign employs a novel tactic of using corrupted files that do not contain malicious code, allowing them to bypass most antivirus solutions and detection tools [5]. Many files analyzed on platforms like VirusTotal were marked as clean or returned “Item Not Found” responses due to improper file type analysis, with only a few detected by antivirus vendors [7].
The effectiveness of this campaign stems from exploiting the discrepancies between how operating systems handle damaged files and how security tools assess them [5]. The attackers intentionally corrupt the structure of the files [8], making them largely undetectable by traditional security measures. The malicious code within these files activates only when opened in specific applications with recovery mode enabled [8], further reducing the likelihood of detection. Active since at least August 2024 [2], this campaign highlights the increasing sophistication of phishing techniques [5], underscoring the importance of vigilance and robust cybersecurity measures [5].
Conclusion
The impact of this phishing campaign is significant, as it highlights vulnerabilities in current security measures and the evolving tactics of cybercriminals. To mitigate such threats [10], users should exercise caution with unsolicited emails [7], especially those with attachments [7], and verify the authenticity of emails from unknown senders. Organizations are advised to implement a combination of administrative and technical security controls, including phishing awareness training and automatic email scanning [10]. Employing interactive sandboxes that launch files in their appropriate programs can help detect malicious intent [2]. Continuous monitoring of the cyber threat landscape and adopting a multi-layered security approach, combining advanced threat detection tools with user education [8], are crucial for maintaining vigilance against these sophisticated attacks.
References
[1] https://www.techzine.eu/news/security/126705/phishing-campaign-bypasses-security-corrupt-word-documents/
[2] https://www.scworld.com/news/corrupted-word-documents-used-in-phishing-campaign
[3] https://blog.netmanageit.com/novel-phising-campaign-uses-corrupted-word-documents-to-evade-security/
[4] https://www.newsminimalist.com/articles/phishing-campaign-uses-corrupted-word-files-to-steal-credentials-343a6231
[5] https://www.infosecurity-magazine.com/news/corrupted-word-files-fuel-phishing/
[6] https://gridinsoft.com/blogs/corrupted-word-documents-phishing-attacks/
[7] https://www.techmonitor.ai/technology/cybersecurity/new-phishing-tactic-word
[8] https://securityonline.info/zero-day-attack-alert-corrupted-files-weaponized-in-new-attacks/
[9] https://www.heise.de/en/news/Phishing-Attackers-bypass-virus-scan-with-corrupted-Word-documents-10184723.html
[10] https://fieldeffect.com/blog/novel-attack-vector-evades-anti-phishing-security-controls
