Cybersecurity researchers are investigating a new phishing campaign that exploits corrupted Microsoft Office documents and ZIP files to evade detection by email defenses and antivirus software. Active since at least August 2024, this attack strategy enables malicious emails to bypass spam filters and reach users directly.
Cybersecurity experts uncover new phishing tactic using corrupted files
The campaign operates by sending emails with intentionally corrupted attachments. The corrupted state prevents these files from being scanned effectively by security tools, ultimately enabling them to bypass antivirus alerts. According to ANY.RUN, the malware takes advantage of built-in recovery features in programs like Microsoft Word and WinRAR, allowing corrupted files to be opened without triggering immediate security warnings.
The emails often promise misleading benefits, luring recipients with claims related to employee bonuses and HR notifications. The malicious documents embed QR codes that redirect victims to fraudulent websites, which can lead to credential theft or malware installation. Security checks reveal that when attachments are uploaded to services like VirusTotal, they typically generate zero alerts for malicious content, further complicating detection efforts.
This strategy poses a unique challenge by crafting documents corrupt enough to bypass automated security scans yet accessible enough for users to open. The clever use of promised employee bonuses and benefits as bait exposes vulnerabilities in workplace training, underlining the need for organizations to enhance security awareness programs. Such training should address specific threats like these to help employees recognize and avoid falling victim to these well-crafted schemes.
Records show that the methodology used in this phishing campaign is not entirely unprecedented. Similar tactics have emerged in past attacks, with bad actors frequently finding unique ways to conceal malware within seemingly innocuous files. Techniques such as macro-embedded documents and polyglot files highlight a broader trend where attackers utilize unorthodox methods to avoid detection.
The corrupted attachments in this campaign are specifically designed to circumvent sandbox environments that many organizations employ for security testing. Such environments rely on file structures that can cause corruption to be overlooked. Thus, when a user attempts to recover the document, they unwittingly trigger the malicious program.
Despite the use of advanced filtering techniques by many email services, the campaign demonstrates that gaps still exist within these systems. ANY.RUN emphasizes that although the files operate without being flagged as malicious, interactivity in detecting these types of corrupted files is essential. Security solutions struggle to handle QR codes effectively, and often, the combination of such tactics compounds the risk for users.
With the rising popularity of QR codes, many attackers are now embedding links within these codes to further obscure their malicious intentions.
Featured image credit: Microsoft
