Phishing: Attackers bypass virus scan with corrupted Word documents

E-mails with malicious attachments are still widely used for attacks on PCs. Word documents often serve as carriers for blackmail Trojans, for example. Security researchers have now documented a new method used by attackers to trick virus scanners.

Virus scanners bypassed

As researchers from ANY.RUN explain in a brief analysis on X, they have come across Word documents deliberately damaged by attackers, which they attach to emails as bait for phishing attacks. Because the files are corrupt, certain antivirus software and Outlook's spam filter have difficulty recognizing the file type. As a result, the protection mechanisms do not kick in and such an email ends up in the inbox without a warning.

The researchers state that they have uploaded corresponding files to the online analysis service Virustotal. According to them, none of the more than 60 scanners available there raised the alarm.

Phishing victims

In the course of this campaign, the unknown attackers are said to send the emails in the name of HR departments with a subject line about bonus payments. If a victim falls for it and opens the prepared file, Word offers to repair the document. Because the attackers have only made minimal changes to the header at a certain point, Word can restore and open the document.

It contains a QR code that victims should scan to receive another document. Anyone who clicks on it ends up on a phishing website that collects Microsoft log-in data.

The extent of the phishing campaign is currently unknown. As a general rule, you should not open any file attachments, especially from unknown senders.

(des)