Microsoft Word Attack Bypasses Security

We’ve said it before and we’ll say it again: Don’t open emails from senders that you don’t know. If you do, for some reason, open the email then do NOT download any attachments. These attachments can contain dangerous malware and viruses that will take over your computer, steal your data, add you to a botnet or worse. If you’ve opened a suspicious email and downloaded the attachments, refrain from opening them. While you might not get a virus just by downloading them, “might not” becomes “definitely will” once you open them and allow them to run.

Microsoft Word documents are a classic attack vector, but they usually require the user to have macros enabled for them to do anything. Macros are miniature programs, so without them enabled a MS Word document is just text. With them enabled it becomes a text document loaded with executables that can quickly overwhelm your computer’s security and move on to whatever Phase 2 of the attack is. This is why when you download a document and open it in MS Word it won’t let you do anything to it. You have to enable editing or save your own copy if you want to interact with a downloaded MS Word document, all of this is done in the name of safety. Since macros are a known attack vector Microsoft makes an effort to keep security definitions up-to-date for security software to deal with them. A new attack doesn’t require macros to work however, it relies on a known vulnerability. This vulnerability was patched by Microsoft last year, but if your device is behind on its updates then you may be vulnerable. This new wave of MS Word attacks is designed to steal credit card information, emails and other credentials from your browser.

According to Trustwave’s SpiderLabs all of the reported emails so far have had the following subjects:

Request for Quotation
Telex Transfer Notification

and they’ve all had a Microsoft Word document titled: receipt.docx.

As long as you don’t open the document your computer is safe, but the moment you do several things happen. The document reaches out to the internet and downloads a Rich Text File that is actually an executable, the RTF takes advantage of the MS Word vulnerability, which creates a PowerShell Script code that installs the Password Stealer Malware. All of this happens rapidly, and is essentially unstoppable once you open the document. The attack relies on using document types that aren’t normally blocked by firewalls and standard security measures, which is what makes it so effective. The best defense is to leave strange emails unopened and report them to your IT department. If you don’t have an IT department to report them to, then report them as Spam to Google and block the sender. Whatever you do, DO NOT open strange emails. Your devices will thank you.