Full Report
A new phishing attack uses corrupted Word docs to bypass security, luring victims with fake payroll and HR emails
Analysis Summary
# Tool/Technique: Corrupted Word File Phishing (QR Code Lure)
## Overview
A sophisticated phishing campaign utilizing specially crafted, corrupted Microsoft Word documents to bypass security controls and trick users into scanning a QR code that leads to a credential harvesting site, impersonating HR or payroll functions for lure purposes.
## Technical Details
- Type: Technique (Phishing Payload Delivery/Lure)
- Platform: Microsoft Word on Windows environments (implied by the reliance on Word's recovery mode).
- Capabilities: Bypassing antivirus/sandbox detection by delivering no traditional malicious code; leveraging OS functionality (file recovery mode) to display a malicious redirection mechanism (QR code).
- First Seen: Campaign active since August (as of the time surveyed in December 2024).
## MITRE ATT&CK Mapping
This campaign primarily focuses on initial access and the delivery mechanism:
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Delivering the corrupted file)
- **TA0006 - Credential Access**
- T1555 - Credentials from Password Stores (The ultimate goal is credential harvesting via the fake login page).
## Functionality
### Core Capabilities
- **Evasion:** The attachments contain no malicious code, causing most antivirus systems and static analysis tools (like VirusTotal scanners) to flag them as clean or fail to detect malicious intent.
- **User Interaction Lure:** Emails impersonate HR/Payroll, promising benefits or bonuses to ensure the user opens the attachment.
- **Forced Redirection:** Upon opening the attachment, Microsoft Word enters recovery mode, reconstructs the file, and displays a visual prompt instructing the user to scan a QR code.
### Advanced Features
- **Exploitation of File Processing Gaps:** The technique exploits the difference between how the operating system handles structurally damaged files (running Word's recovery mode) and how security tools analyze file types, allowing the payload delivery mechanism (the QR code instructions) to surface successfully despite the file's corrupted state.
- **Two-Factor Attack Vector:** It combines traditional attachment delivery with modern mobile/QR-based credential harvesting pathways.
## Indicators of Compromise
- File Hashes: [Not specified in the context]
- File Names: Common lures include variations like:
- `Annual_Benefits_&Bonus_for[name].docx`
- `Due_&Payment_for[name].docx.bin`
- `Q4_Benefits_&Bonus_for[name].docx.bin`
- Registry Keys: [Not specified in the context]
- Network Indicators: The final destination is a fake Microsoft login page designed for credential harvesting (specific URLs are defanged/not provided).
- Behavioral Indicators:
- Microsoft Word triggering recovery mode on an unexpected document.
- User behavior shifting from opening a document to scanning a displayed QR code.
## Associated Threat Actors
- [Threat actors are not explicitly named in the summary, but the campaign is noted for its sophistication.]
## Detection Methods
- Signature-based detection: Largely ineffective against the corrupted file structure itself, as it contains no traditional malware payload.
- Behavioral detection: Should focus on the sequence: opening an OLE document -> triggering recovery mode -> displaying a non-standard visual prompt (QR code) instead of document content.
- YARA rules: [Not specified in the context]
## Mitigation Strategies
- Be cautious of unexpected emails with attachments, even if they appear related to internal company matters (like payroll/HR).
- Verify the authenticity of emails and attachments directly with the sender through a separate, trusted communication channel before opening.
- Utilize sandbox environments or advanced detection tools capable of analyzing file behavior across the entire interaction lifecycle (including OS recovery processes) instead of relying solely on static file scanning.
## Related Tools/Techniques
- General Phishing/Spearphishing campaigns.
- QR Code Scams/Quishing attacks.
- Techniques leveraging flaws in document parsing engines (e.g., OLE object manipulation, although here the focus is on file corruption handling).