9/11 Press Release Malware - Abnormal Security

9/11 Press Release Malware

Attackers utilize a 9/11 press release from an impersonated partner to deliver malware to recipients.

Quick Summary of Attack Target

Platform: Office 365
Mailboxes: 5,000-15,000
Email Security Bypassed: Office 365
Victims: Employees
Payload: Malicious Attachment
Technique: Impersonation

What was the attack?

Setup: This attack leverages the trust from a known partner to deliver malicious content disguised as a press release on the anniversary of 9/11. 

Email Attack: The email is general and contains a brief message stating for the recipient to “Please see the attached document” along with a password to open the attached .zip file. The actual .doc file is embedded within the compressed file with the file titled “report,09.11.2020”.

Payload: An initial scan of the zip file doesn’t reveal anything malicious about its contents. Upon opening the .doc file, even the title “report,09.11.2020” looks like it contains legitimate information relevant to a press release. It isn’t until the file is downloaded and opened, that it reveals malicious malware that has the potential to wreak havoc on users devices. 

Result: Should recipients fall victim to this attack, malware will be installed on the recipients computers, enabling attackers to steal sensitive business and personal information, or render their devices unusable.

Why is this attack effective?

Urgency: Since the email was sent with the file titled “report,09.11.2020”, recipients of the email would expect to receive correspondence from partners regarding the anniversary of 9/11.

Impersonated email/sender: The attacker impersonates a known partner using an expired domain. Although sent from a trivalleycentral.com domain, email authentication fails for the sender. As of 2016, the legitimate domain has been switched to pinalcentral.com.


Concealed Attachment: The email contains an attachment that could be relevant to the recipient. Press releases often contain photo/video files that are too large and thus are attached as compressed files. In this case it wouldn’t be unusual for this partner to do this.

Related content