If you’re a company that uses email scanning technology as the first line of cyber defense, you should know about a recent slate of malicious Word document-based attacks.
These attacks are designed to deliver malware and ransomware to targeted systems.
Security researchers at Cisco Talos recently identified an attack where Word document files attached to emails were used to deliver Cobalt Strike Beacon to unsuspecting systems.
Once there, hackers could sell access to the Beacon on the Dark Web to any threat actor who wanted readymade entry to the compromised system. So, if you think only “safe” emails—with “safe” attachments—can reach your inboxes, think again.
With the growing number of weaponized Word document attacks, the need for vigilance around attachments has never been higher. It’s imperative you think twice before automatically downloading that next Word document.
How Can Word Files Give Me Malware?
In 2007, Microsoft introduced new file formats for Word, Excel, and PowerPoint, which end in .docx, .xlsx, etc. This update uses the Office Open XML File Format and allows for embedded resources within a document.
Unfortunately, this switch also created the risk of threat actors injecting malicious code into an XML-based file. As a result, hackers can now leverage XML-based document files to deliver malware or ransomware.
RTF-formatted documents also pose the same danger. A Word file containing macros—typically using the .docm extension—can change its extension to .RTF and keep its macros intact.
Opening these disguised files validates them, and they run like any .docx file while downloading malicious code to your network.
Growing Number of Document-Based Attacks
In one variant of the attack discovered by Cisco Talos, the malicious Word documents used multiple layers of encoding and scripting languages to hide the delivery of the Cobalt Strike Beacon download. Once the Beacon payload is on the target system, the organization is now vulnerable to future attacks.
Another attack discovered in 2022, called “Follina,” leverages a weaponized Word file to attack a Windows utility meant to run troubleshooting packs on Windows. The targeted endpoint then calls a malicious HTML file from an external URL.
The Follina attack allows the hacker to exploit the user’s system privileges to install programs, view, change, delete data, or create new accounts.
This attack is also known as a ‘template injection technique.’ Because the weaponized file lacks any suspicious factors like macros or recognizable exploit markers, the threat may go undetected, even as it reaches out to download a malicious template.
Such attacks in recent months include:
- A high-profile August 2022 spear phishing campaign that targeted Pakistan's Ministry of Defense
- A July 2022 attack flagged by PwC that tried to obtain and execute a malicious macro, and
- A September 2022 incident was discovered by Cisco in which weaponized Word files were aimed at Ukrainian government agencies.
Signs to Watch for in Document-Based Attacks
Trust your instincts when you get an email that feels off somehow. Focus on these five areas to determine whether scammers are targeting you and whether you should trust an attached file.
- Sender Even if the sender's name seems familiar, check the email address carefully to confirm that the email is from that person. Look for transposed characters or email addresses that seem almost right, like a .co domain rather than a .com domain.
- Salutation Take a good look at the greeting—is it personalized or generic? If it seems generic, such as "Dear client," "Dear Customer," or "Dear Valued Customer," instead of your name, take a second or two to think before you click.
- Content Scammers try to create a sense of urgency so that you act rather than think (e.g., "your account will be blocked"). Poor grammar and spelling mistakes? No legitimate organization would ever let such errors get past them. Scammers will also ask you for personal or financial information. They will ask you to update your account or change your password.
- Contact information Legitimate organizations want you to contact them if necessary. They show their contact information in their email so you can call them and verify that they are who they say they are. Scammers don't want you to get in touch, so they don't include contact information.
- Attachment If you're not expecting any document from the sender, be vigilant in opening a random attachment. When you open a scammer's attachment, you open the door to malware. Malware can wreak havoc on your computer or your organization's entire network.
How Security Awareness Training Can Protect You
The more knowledge and real-world context employees have, the easier it is to identify emails, attached files, and other social engineering tactics used to steal confidential information. To help prevent whaling, Terranova Security recommends taking the following precautions:
- Educate your team about phishing. Take advantage of free phishing simulation tools to educate and identify phishing risks. They will be surprised at how easy it is to be tricked into giving up confidential information.
- Use proven security awareness training and phishing simulation platforms to keep employees' phishing and social engineering risks top of mind. Create internal cyber security heroes committed to keeping your organization cyber secure.
- Remind your security leaders and cyber security heroes to monitor employee phishing awareness with phishing simulation tools regularly. Take advantage of phishing microlearning modules to educate, train, and change behavior.
- Provide ongoing communication and campaigns about cyber security and phishing. These initiatives include establishing strong password policies and reminding employees about the risks that can come in the format of attachments, emails, and URLs.
- Establish network access rules that limit the use of personal devices and the sharing of information outside your corporate network.
- Ensure that all applications, operating systems, network tools, and internal software are up-to-date and secure. Install malware protection and anti-spam software.
- Incorporate cyber security awareness campaigns, training, support, and education into your corporate culture.
Defend your organization against phishing
Just because you use email scanning doesn't mean you can trust that every email or attachment in your inbox is safe. The growing threat of malware delivered by Word documents demands vigilance. The good news is that with proper security awareness training, you can help ensure your staff continues to be your natural first line of defense against cyber attacks.
Cyber Security Hub: Access Exclusive Cyber Security Content
To learn more about phishing, social engineering, and how to defend yourself against these and other cyber threats, visit our free Cyber Security Hub—your knowledge center for everything cyber security awareness.