Hackers have come up with a clever new way to deliver malware to your Windows PC that both you and even the best antivirus software might completely miss.
As reported by Cybernews and first discovered by the threat intelligence services firm ANY.RUN, hackers have started sending out phishing emails which contain broken or corrupt Microsoft Office or ZIP files.
Since these ‘broken’ or intentionally corrupted files cannot be properly read by antivirus software (and Outlook spam filters too), they bypass any security measures that are in place which results in these emails appearing in a victim’s inbox. Once a victim attempts to recover the corrupted files by executing the corresponding program in recovery mode, the malicious content they contain is able to infect their computer.
For example, a victim receives a broken .docx document that won’t open in Word, but a prompt appears that asks if they want to recover its contents. If the user presses yes, then Word will reconstruct and process the malicious file which then infects their system.
In a post on X, ANY.RUN explains that the threat actors are deliberately corrupting these file types to make it more difficult for security tools to detect the malicious content they contain. At the same time though, the apps used in these attacks were chosen specifically as they have built-in recovery mechanisms that the hackers behind this campaign can abuse in their attacks.
After being provided with the corrupted files, security solutions will assume they need to scan their contents but will fail to extract them. Since they don't find any files inside the archive and overlook the archive itself, the scanning process never really starts.
This basically means that the attackers are exploiting the recovery mechanisms of popular apps in a way that the corresponding programs, like Word or Outlook, inherently handle these types of files.
In a separate post on its site, ANY.RUN provides an example of one of the phishing emails used in this campaign which impersonates an HR department email hinting at a potential salary increase. However, it contains a malicious Word document with an additional malicious QR code to open a supposedly secure file which likely leads to a malicious domain. These phishing attacks are similar to those used by infostealers to steal login credentials, credit card details and other sensitive information.
How to stay safe from phishing attacks
It should go without saying but don’t click on any email or message from an unknown sender. When it comes to emails that are supposed to be internal or within your company, know the policies: Would your HR department send you a QR code normally? Check the sender’s email: Is this a regular, known source or person? Is the subject line suspicious, urgent or poorly spelled?
Also, if you don’t already have one of the best antivirus software solutions set up and running on your PC, then go ahead and get that handled immediately. Make sure all your devices are protected against malware and threats, even your mobile devices - we have recommendations for the best Android antivirus apps too but due to Apple's restrictions, there's no equivalent for the best iPhones.
Whenever you’re in doubt about an email, you can always contact the sender directly and even ask them to resend an attachment through a secure method or you can manually visit a link using a secure browser. When it comes to this kind of attack, you and your knowledge are the last line of defense.
Given that malicious attachments are one of the main ways that hackers distribute malware in the first place, don't expect this campaign to die off anytime soon. Instead, you just need to be extra careful when checking your inbox and under no circumstances should you download an attachment from an unknown sender or an email that doesn't pass the smell test.
