Full Report
Cybersecurity researchers have called attention to a novel phishing campaign that leverages corrupted Microsoft Office documents and ZIP archives as a way to bypass email defenses. "The ongoing attack evades #antivirus software, prevents uploads to sandboxes, and bypasses Outlook's spam filters, allowing the malicious emails to reach your inbox," ANY.RUN said in a series of posts on X. The
Analysis Summary
# Tool/Technique: Corrupted ZIPs and Office Documents for Evasion
## Overview
This describes a phishing technique where threat actors use intentionally corrupted Microsoft Office documents (like Word files) and ZIP archives delivered via email to bypass anti-virus and email security scanning solutions. The corruption prevents security tools from properly analyzing the files, yet legitimate operating system applications (like Word or WinRAR) utilize built-in recovery mechanisms to successfully open and execute the embedded malicious content upon user interaction.
## Technical Details
- Type: Technique (File Corruption Evasion)
- Platform: Windows (Implied by use of Microsoft Office/Outlook)
- Capabilities: Evasion of static analysis, sandbox detection, and email spam filters by delivering files that appear structurally invalid to security tools but are recoverable by native applications.
- First Seen: At least since August 2024 (as reported by ANY.RUN)
## MITRE ATT&CK Mapping
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment
- T1204 - User Execution
- T1204.002 - Malicious File
- T1027 - Obfuscated Files or Information
- T1027.003 - Software Payload
## Functionality
### Core Capabilities
- Bypassing email security software (spam filters) by delivering structurally damaged files.
- Evading antivirus sandbox analysis because the file structure fails standard parsing procedures, leading to early termination or failure in the sandbox environment.
- Exploiting native application recovery features (e.g., in Word, Outlook, WinRAR) to successfully process corrupted archives/documents once opened by the end-user.
### Advanced Features
- The final payload delivery mechanism often involves QR codes embedded within the document, which, when scanned, redirect victims to fraudulent websites for malware deployment or credential harvesting.
## Indicators of Compromise
- File Hashes: [Not specified in the source material]
- File Names: [Not specified in the source material, likely context-dependent lures like "employee benefits" or "bonuses"]
- Registry Keys: [Not applicable/specified]
- Network Indicators: Redirection to fraudulent websites for malware installation or C2 communication (Specific URLs/Domains defanged: [To be determined based on specific malware payload deployed])
- Behavioral Indicators: Security tool failure during file static analysis; successful opening of corrupt ZIP/DOCX files via application recovery mode; user interaction with embedded QR codes.
## Associated Threat Actors
- Threat actors actively exploiting this technique since August 2024 (Specific threat group names not mentioned, but described as ongoing threat activity).
## Detection Methods
- Signature-based detection: Ineffective against the initial corrupted containers themselves, as they are designed to fail standard scanning procedures.
- Behavioral detection: Detection should focus on the post-recovery execution phase—what the document tries to execute (e.g., macro execution, external downloads triggered by a seemingly legitimate recovery process). Monitoring for QR code scanning followed by immediate unexpected network connections is crucial.
- YARA rules: Potentially useful for identifying specific corruption patterns used by attackers across different file formats, though this requires ongoing research tailored to the specific file structure manipulation.
## Mitigation Strategies
- Prevention measures: Implement stricter email gateway settings to quarantine files that fail standard parsing checks or exhibit unusual structural integrity issues, even if they manage to pass initial malware scans.
- Hardening recommendations: Discourage or block the use of document macros. Train users specifically on recognizing lures related to "benefits" or "bonuses" and exercise extreme caution when applications prompt to "recover" damaged files. Ensure mobile devices/scanners are not used reflexively on potentially malicious attachments to scan embedded QR codes.
## Related Tools/Techniques
- Standard phishing campaigns utilizing office documents (e.g., macro-enabled documents).
- File format fuzzing techniques designed to test the resilience and parsing logic of security software.
- Living Off The Land Binaries (LOLBAS) utilized after successful execution via the recovered files.