Corrupted Microsoft Office documents used in phishing campaign

Corrupted Microsoft Office documents and archive files have been used to evade detection in a recent phishing campaign, according to ANY.RUN.

The files are intentionally corrupted to prevent scanning by email filters and antivirus software, and to prevent them from launching properly in sandbox environments, according to ANY.RUN. However, the files can still be recovered and read when launched with specific software such as Microsoft Word for DOCX files and WinRAR for ZIP archives.

“This is a new and interesting way to bypass content-filtering security defenses. I’ve been in cybersecurity for over 36 years and I don’t remember this tactic before,” noted Roger Grimes, data-driven defense evangelist at KnowBe4, in an email to SC Media. “The scammers not only had to make a corrupt document that would stymie content-filters, but ensure that the corruption was minor enough that Word would always be able to recover it.”

The campaign has been active since at least August 2024, and uses QR codes in documents to spread links to phishing websites disguised as Microsoft account login pages. In examples posted by ANY.RUN, the documents have been attached to emails mean to look like notices from human resources regarding the target’s salary or employment benefits.

Due to the files being sent in a corrupted state, they are not recognized as malicious by many antivirus software. Uploading one of the attachments to VirusTotal resulted in zero flags for malicious content, with antivirus solutions returning “clean” or “Item Not Found” results for the file, ANY.RUN posted.

Despite this, the recovery features of programs like Microsoft Word are specially equipped to return damaged files of certain types, such as DOCX files, to a readable state, ensuring the phishing link makes its way to the user. Therefore, the malicious nature of the file is only revealed after going through the recovery process in one of these programs.

“Although these files operate successfully within the OS, they remain undetected by most security solutions due to the failure to apply proper procedures for their files types,” ANY.RUN posted on X, noting that an interactive sandbox that launches files in their appropriate corresponding programs allows for detection of the malicious intent.

Attackers find unique ways to manipulate phishing attachments

Malicious Word documents and other types of manipulated files are frequently used by attackers to hide their malware and phishing attacks from security systems. For example, hiding malware in macros in Microsoft Office documents is a tactic that has been used to spread trojans including Dridex and Emotet, leading Microsoft to begin blocking macros by default in 2022.  

Another example is the use of “polyglot” files that contain more than one files type, making it more difficult for security software to properly interpret. This could include a malicious Word document embedded in a PDF or combining JavaScript with images to hide malicious code.

Using QR codes to hide malicious links, also known as quishing, has also been on the rise, with most of these QR code attacks delivered through email. The increasing popularity of QR codes has led many email security solutions to incorporate QR code detection in their link scanning capabilities, requiring attacks to find more layers of obfuscation to pile on to their schemes.

Grimes noted, however, that some filters still have difficulty handling QR codes, making the combination of evasion techniques especially dangerous. This highlights the importance of user awareness when faced with software-evading phishing scams.

“This is a real-world example of a phisher using promised employee bonuses and benefits as the phishing lure. Sometimes when security awareness trainers use employee bonus emails as a simulated phishing lure, they catch a lot of heat for doing so. However, this is a case for doing exactly that. You don’t want the real scammers to be the only ones phishing your co-workers this way,” Grimes said.