If a user opens the file, the document will show an empty Excel spreadsheet with a box saying “Enable Editing and Enable Content to display this document.” If the user clicks the button in Excel to enable content, the SLK file will be allowed to run commands on their computer.
After the button is clicked, the file will execute a series of commands and eventually uses Windows Installer to download the NetSupport Manager remote access Trojan to the victim’s computer.
This phishing campaign is targeting companies in a wide variety of industries, including software, chemicals, healthcare, mining, oil and gas, machinery, utilities, transportation, telecommunications, retail, and banking. Some of the companies are very well-known, including JCPenney, Glad, and Hasbro.
BleepingComputer notes that it’s worth taking the time to call someone to verify emailed requests.
“To protect yourself and your corporate networks from targeted phishing attacks like this, it is recommended that you always contact the sender at their corporate number,“ BleepingComputer says. “While calling them to confirm just adds another task to a busy schedule, it will also give you peace of mind that the email is legitimate.”
In this case, however, it’s better to just assume that any document that asks you to enable content is malicious. It’s important to note that, in most cases, malicious documents are harmless as long as the user knows not to click the “Enable content” or “Enable editing” buttons. New-school security awareness training can help ensure that your employees know how to avoid falling for these attacks.
BleepingComputer has the story: https://www.bleepingcomputer.com/news/security/targeted-phishing-attack-aims-for-well-known-corporate-brands/