Skip to content
Search
  • There are no suggestions because the search field is empty.
Cancel
Get Started Now

    Security Awareness Training Blog

    New Multi-Stage Word Phishing Attack Infects Users Without Using Macros

    Word-attack-operandi

    Spam distributors are using a new technique to infect users with malware, and while this phishing attack relies on having users open Word documents, it does not involve social engineering users to enable macro scripts.

    This new macro-less technique is currently under active exploitation, being detected by Trustwave SpiderLabs researchers in an ongoing malware campaign.

    New technique's exploitation chain

    The actual exploitation chain is detailed below and relies on a large number of resources, such as DOCX, RTF, HTA, VBScript, and PowerShell.

    ⏩  A victim receives a spam email with a DOCX file attachment.
    ⏩  Victim downloads and opens the DOCX file.
    ⏩  DOCX file contains an embedded OLE object.
    ⏩  OLE object downloads and opens an RTF (disguised as a DOC) file.
    ⏩  DOC file uses CVE-2017-11882 Office Equation Editor vulnerability.
    ⏩  Exploit code runs an MSHTA command line.
    ⏩  MSHTA command line downloads and runs an HTA file.
    ⏩  HTA file contains a VBScript that unpacks a PowerShell script.
    ⏩  PowerShell script downloads and installs the password stealer.
    ⏩  Malware steals passwords from browsers, email and FTP clients.
    ⏩  Malware uploads data to a remote server.

    The technical details of this attack are at: https://www.bleepingcomputer.com/news/security/multi-stage-word-attack-infects-users-without-using-macros/

    Do your users know what to do when they receive a suspicious email?

    Should they call the help desk, or forward it? Should they forward to IT including all headers? Delete and not report it, forfeiting a possible early warning?

    KnowBe4 Phish Alert

    KnowBe4’s Phish Alert button now also works for Gmail users with G Suite using Chrome. This gives your users a safe way to forward email threats to the security team for analysis and deletes the email from the user's inbox to prevent future exposure. All with just one click!

     Best of all, there is no charge!

    • Reinforces your organization's security culture
    • Incident Response gets early phishing alerts from users, creating a network of “sensors”
    • Email is deleted from the user's inbox to prevent future exposure
    • Easy deployment via MSI file for Outlook, G Suite deployment for Gmail (Chrome)
    • Supports: Outlook 2007, 2010, 2013, 2016 & Outlook for Office 365, Exchange 2013 & 2016, Chrome 54 and later (Linux, OS X and Windows)

    This is a great way to better manage the problem of social engineering. Compliments of KnowBe4!

    I want my Free Phish Alert

    If you do not like to click on buttons with redirects, here is a link you can cut and paste into your browser: https://info.knowbe4.com/free-phish-alert

     

    Return To KnowBe4 Security Blog

    Topics: Phishing

    Stu Sjouwerman

    ABOUT STU SJOUWERMAN

    Stu Sjouwerman (pronounced “shower-man”) is the founder and CEO of KnowBe4, Inc., which hosts the world’s most popular integrated security awareness training and simulated phishing platform, with over 54,000 organization customers and more than 50 million users. A serial entrepreneur and data security expert with 30 years in the IT industry, Stu was the co-founder of Inc. 500 company Sunbelt Software, a multiple award-winning anti-malware software company that was acquired in 2010.

    Read more from Stu »

    Subscribe to Our Blog


    Security Awareness Training
    Blog RSS Feed
    Comprehensive Anti-Phishing Guide
    All Posts

    Posts by Tag

    See all

    Posts By Topic

    View All

    Get the latest about social engineering

    Subscribe to CyberheistNews