One of the most popular ways of distributing malware is via malicious email attachments poised as invoices, payment recipes, error pages. These emails include attachments to word and excel files, that when opened can install the malware in your system.
Recognizing these email attachments used by phishing emails could make a big difference towards a safer cyber experience.
Before these files (Word and Excel) could make changes in your system or macros, Office requires you to click on the ‘Enable Editing’ or ‘Enable Content’ button which you should never do as it’ll enable them to infect your system.
The miscreants trick users by displaying a document template that displays that there is an error in viewing or displaying and ask the user to ‘Enable Editing’ or ‘Enable Content’.
Here are some common phishing attachments used by malware attackers that you need to avoid-
Malware developed by the TrickBot trojan group, they remotely access your computer to deploy the Ryuk ransomware to the whole network.
- BazarLoader usually has phishing attachments containing Word or Excel documents hosted on Google Docs and Google Sheets.
- These documents trick the user into downloading the executable file by displaying a template with the message that preview is not available or there were some problems and a link to download the file which then installs the BazaLoader malware.
A trojan said to be linked with WastedLocker used to fish passwords and login credentials.
- It is easy to identify Dridex attachments as they are usually more stylized with company logos and letterheads and contains text that is difficult to read (either very small or obfuscated) and ask you to ‘enable editing’ to see better.
- They could also be stylized templates copying Delivery or Shipping recipes.
The most common email phishing chain that steals your email to send out more spam emails. Emotnet uses warning templates instead of documents like Dridex, asking to enable content to read the document.
- For Example, the ‘Red Dawn’ template says “This document is protected,” and to enable content to read it.
- Another of their template says that the document could not be opened correctly as it was created on ‘iOS Device’, or that the document on ‘Windows 10 Mobile’ which has been long discontinued.
- Some of the other templates they use are- “Protected View”, “Accept Microsoft’s license agreement” and “Microsoft Office Transformation Wizard.”
QakBot is a banking trojan partnered with ProLock ransomware, they have very stylized and legit looking templates.
- Their famous template is the ‘DocuSign’, it looks like a form from DocuSign and asks to ‘Enable Content and Editing’.
Files that ends with these – vbs, .js, .exe, .ps1, .jar, .bat, .com, or .scr are almost always malicious and executable files that further download codes and macros in the computer.
If you see an email attachments with these file types, never open them and delete them immediately as they are undoubtedly malicious.
If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.