Earlier this week we started seeing a spike in the use of password-protected documents in multiple malware campaigns, including Trickbot. These documents are attached to emails that use varying social engineering lures like the typical "order", "invoice", "documents".
We also saw the increasingly less common but still used “new corona case” lure. Some of the emails also indicate more specific targeting, with attackers using the domain of compromised sender accounts as part of the email body for improved believability.
When opened, the malicious documents prompt for the password, which is in the email body. If the recipient enters the password, the document opens with instructions to enable editing and enable content, so that a malicious macro can run and download the payload.
It’s interesting that cybercriminals would turn to using a fairly old technique like this, both as a social engineering lure (banking on the notion that password-protected documents are somehow safe) and a way to evade automated analysis.
Microsoft Threat Protection defends against this multi-component threat through its cross-domain visibility and industry-leading detection capabilities, powered by experts who investigate these kinds of trends.
Share this Scrolly Tale with your friends.
A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.