Phishing attachment hides malicious macros from security tools
A clever new wave of phishing attacks prove malicious, macro-enabled attachments can still bypass security tools and pack a serious punch under the right conditions.
The attacks, recently spotted by researchers at FireEye, targeted financial services organizations in the United States, tricking them to download and deploy a backdoor giving attackers full control of the victim’s environment.
Phishing simulations & training
Is your organization susceptible to phishing attacks? Find out today with a free Phishing Risk Test!
How does this attachment attack work?
At first glance, this attack looks similar to many phishing attachment attacks.
Image courtesy of FireEye
Although the grammar is an obvious red flag, the attacker uses an email address and domain including “CPA” in an attempt to legitimize the tax-themed email and encourage the victim to download the attachment.
This attack’s greatest disguise comes with the attachment itself.
Image courtsey of FireEye
The attachment is well formatted and takes advantage of legitimate H&R Block branding.
While the visual elements of the attachment lend credibility to the email, the real danger of this attachment phishing attack is the hidden macros. With this attachment, attackers used a technique called VBA stomping to hide the macros used to download and deploy the malicious code. Under the right conditions, this allows the email and attachment to pass antivirus checks which normally flag macro-enabled files.
What is VBA stomping?
VBA stomping is a technique attackers use to manipulate VBA source code in Microsoft Office files and hide malicious code in the file’s pseudo-code (or p-code). Security tools that only check the VBA code of the file may not recognize the macro-enabled functionality and may fail to flag a malicious file. In this scenario, the email above could land in an employee’s inbox or be opened without an antivirus warning.
Although VBA stomping can be an extremely effective technique, there are several limitations that may stop the attack in its tracks. For example, the malicious p-code must be compiled for the same version of Office with which the victim opens the file or the macro will not execute as intended. This requires the attacker to uncover the Office version used by their target organizations or victims before launching an attack.
What does this mean for your organization?
The above attack isn’t perfect or undetectable by any stretch. It is possible that your antivirus software will catch a VBA-stomped file or that your most cyber-aware employees will notice the red flags if the phishing email manages to reach their inbox. However, this attack serves as a reminder that cybercriminals operate on the playing field set up by your business technology and security tools. In this case, exploitable elements in Office files and a way to coax a benign antivirus assessment provide hackers with a roadmap to exploit an unsuspecting employee.
It’s impossible to know where future attacks will come from and if your existing infrastructure can protect against them all. That’s what makes training and empowering each employee to recognize and report the security threats that reach them so important.
Prepare your workforce with awareness, training & phishing simulations
Security awareness and training platforms like Infosec IQ give you the tools and training content to educate your workforce and inspire them to adopt habits that will keep your organization secure. Infosec IQ also includes phishing templates like the attack above to help you prepare your workforce for real, active attacks.
Get six free posters
Reinforce cybersecurity best practices with six eye-catching posters found in our free poster kit from our award-winning series, Work Bytes.
Want to test phishing susceptibility at your organization? Run a free Phishing Risk Test and learn your organization’s phish rate in 24 hours.
In this Series
- Phishing attachment hides malicious macros from security tools
- Keeping your inbox safe: How to prevent business email compromise
- The best 9 phishing simulators for employee security awareness training (2023)
- How to set up a phishing attack with the Social-Engineer Toolkit
- Extortion: How attackers double down on threats
- How Zoom is being exploited for phishing attacks
- 11 phishing email subject lines your employees need to recognize [Updated 2022]
- Consent phishing: How attackers abuse OAuth 2.0 permissions to dupe users
- The state of BEC in 2021 (and beyond)
- Why employees keep falling for phishing (and the science to help them)
- Phishing attacks doubled last year, according to Anti-Phishing Working Group
- The Phish Scale: How NIST is quantifying employee phishing risk
- 6 most sophisticated phishing attacks of 2020
- JavaScript obfuscator: Overview and technical overview
- Malicious Excel attachments bypass security controls using .NET library
- Phishing with Google Forms, Firebase and Docs: Detection and prevention
- Phishing domain lawsuits and the Computer Fraud and Abuse Act
- Phishing: Reputational damages
- Spearphishing meets vishing: New multi-step attack targets corporate VPNs
- Phishing attack timeline: 21 hours from target to detection
- Overview of phishing techniques: Brand impersonation
- BEC attacks: A business risk your insurance company is unlikely to cover
- Cybercrime at scale: Dissecting a dark web phishing kit
- Lockphish phishing attack: Capturing android PINs & iPhone passcodes over https
- 4 types of phishing domains you should blacklist right now
- Email attack trend predictions for 2020
- 4 tips for phishing field employees [Updated 2020]
- How to scan email headers for phishing and malicious content
- Should you phish-test your remote workforce?
- Overview of phishing techniques: Fake invoice/bills
- Phishing simulations in 5 easy steps — Free phishing training kit
- Overview of phishing techniques: Urgent/limited supplies
- Overview of phishing techniques: Compromised account
- Phishing techniques: Contest winner scam
- Phishing techniques: Expired password/account
- Overview of Phishing Techniques: Fake Websites
- Overview of phishing techniques: Order/delivery notifications
- Phishing technique: Message from a friend/relative
- [Updated] Top 9 coronavirus phishing scams making the rounds
- Phishing technique: Message from the boss
- Cyber Work podcast: Email attack trend predictions for 2020
- Phishing techniques: Clone phishing
- Phishing techniques: Asking for sensitive information via email
- PayPal credential phishing with an even bigger hook
- Your 2020 tax scam training guide
- Abusing email rules
- 8 phishing simulation tips to promote more secure behavior
- Top types of Business Email Compromise [BEC]
- Be aware of these 20 new phishing techniques
- Phishing in academic environments
- Phishing-as-a-Service
- Reduce security events
- Reinforce cyber secure behaviors
- Strengthen cybersecurity culture at your organization
