Phishing Delivery: Attackers distributed benefit-themed emails containing Office documents that were intentionally corrupted to evade security filters. Despite being corrupted, these files can still be recovered and opened by Microsoft Office's built-in file recovery feature. The documents are customized with the target company's logo, personalized with the employee's name, and embed a QR code that, when scanned, directs victims to a fake Office 365 login page.
The Bait of Broken Files: Phishing Campaign Using Corrupted Word Docs
Leveraging corrupted attachments to evade SEGs.
What is the attack?
Why did it get through?
Verified Source: Email sent from a domain passing SPF/DMARC sender authentication checks.
Attachment Analysis: Attachment analysis struggles with corrupted files, often misclassifying them as broken, which prevents scanning of internal content and allows threats in recoverable data to evade detection.
Hidden Phishing Link: QR code embedded within the document conceals a link to a fake Office 365 login page.
What is required to solve for this attack?
Behavioral Analysis: Abnormal’s Behavioral AI flags never-before-seen senders, unusual email content, and URLs as anomalies that enable the detection of novel attacks.
Defense-in-depth: This pairs well for defense in depth with the Cloud Email Platform (M365’s) Threat Intelligence layer.