That Word Document Isn’t Broken—It’s a Phishing Attack in Disguise

A broken document usually seems harmless—just an inconvenience to fix. But in this series of phishing attacks, a corrupted Word file isn’t a mistake; it’s a deliberate trap.

A phishing campaign observed by Abnormal exploits Microsoft Word’s built-in file recovery feature to make malicious documents seem harmless, turning what looks like a broken file into an open door for attackers.

By sending intentionally corrupted Word documents, attackers successfully bypass security tools, trick users into opening the files, and ultimately steal credentials via embedded QR codes.

Here’s how it works, what makes it unique, and why legacy security tools struggle to stop it.

At its core, this attack relies on a combination of social engineering and technical evasion tactics. It begins with the target receiving an email that appears to come from the HR or payroll department, often with subject lines referencing employee benefits, bonuses, or payment processing.

Attached to the email is a Word document with a seemingly legitimate filename, such as Q4_Benefits_&_Bonus.docx.

However, the document is intentionally malformed in a way that triggers Word's built-in file recovery feature. Thus, when the recipient attempts to open the file, Microsoft Word detects the corruption and prompts the user with a recovery option. This can lead users to trust the document while unknowingly interacting with malicious content embedded within the recovered version.

If the target clicks "Yes", Word repairs the file and reveals a document customized with the company’s branding and an embedded QR code.

The QR code is the final step in the phishing chain. Scanning it directs the user to a phishing website disguised as a Microsoft 365 login page.

Because these sites are designed to mimic the login portals of targeted companies, the recipient is more likely to enter their credentials, unknowingly granting the attacker unauthorized access to their account.

This attack is particularly dangerous because it effectively shifts the phishing payload off-screen. By embedding the phishing link within a QR code rather than a clickable link, attackers sidestep traditional URL scanning mechanisms and increase the likelihood of success.

While phishing campaigns leveraging QR codes are not new, this particular technique introduces several novel elements.

Many email security tools struggle to analyze corrupted files. If a document fails structural integrity checks, some security tools may be unable to fully analyze its contents, potentially allowing phishing emails to evade detection. By manipulating the file structure in a particular way, attackers effectively turn a perceived flaw into an advantage.

Another factor that makes this attack so effective is the level of personalization. The attack is not just about delivering phishing lures—it’s about making them believable. The phishing documents are not generic but tailored with the target company’s logo and branding, making them appear more legitimate. This increases the likelihood that employees will trust the document and proceed with the recovery process.

Additionally, the attack strategically moves phishing activity beyond the corporate environment. Since QR codes must be scanned with a mobile device, users are likely to engage with them using their personal devices, which may not be protected by corporate security policies. This further reduces the likelihood of detection.

Legacy email security tools face several challenges in preventing this attack. Some traditional email security solutions may attempt to repair broken files before determining if they’re malicious. However, if the corruption affects critical structure elements, the system may be unable to parse the document fully, leading to potential evasion. Moreover, unless the document contains recognizable malicious macros, links, or scripts, detection may still fail.

Signature-based detection, which many SEGs rely on, is also ineffective. Because these documents contain no traditional malware signatures and do not exhibit behaviors typically associated with phishing emails, they often go undetected. Instead, they are seemingly benign files that become dangerous only after user interaction.

Additionally, most email security solutions rely on URL scanning to identify phishing attempts. However, because this attack hides the phishing payload inside a QR code rather than a clickable link, traditional security tools fail to flag it.

Even when SEGs detect these emails post-delivery, remediation is often delayed. In some cases, threat intelligence teams have observed that remediation efforts took several hours, providing attackers with ample time to steal credentials before the emails were removed from inboxes.

The use of corrupted Word documents to evade detection represents a significant shift in phishing tactics. By manipulating Microsoft Word’s recovery feature, attackers bypass traditional scanning tools and lure users into scanning malicious QR codes. This technique highlights the limitations of legacy security solutions and underscores the increasing need for AI-driven detection that prioritizes behavioral analysis over static threat signatures.

Unlike legacy tools, AI-powered email security solutions can detect these attacks more effectively by analyzing behavioral patterns. AI models identify unusual sender behaviors, unexpected email content, and irregular attachment structures that deviate from normal communication trends. Instead of relying on known threat signatures, AI assesses the context of an email, recognizing anomalies even when no direct malicious indicators are present.

As attackers continue to innovate, security defenses must evolve to match their sophistication. When attackers start corrupting security itself, only advanced AI-powered detection can ensure organizations remain protected.

For even more insights into the threat landscape and predictions for where it’s headed, download our report, Inbox Under Siege: 5 Email Attacks You Need to Know for 2025.