New Phishing Method

[Error 504]

today i got an email from a window salesperson i contacted ONE TIME about three years ago.

there is this word document attached to the email. (actually a .zip file with .doc in the package)

 

of course it's fishy, but it's a .doc file, and i do like opening obviously-scam emails and see what's new in the scam world.

so i downloaded and opened the .doc, and it talked about something like, "this document was created using an older version of word" and i need to enable "editing function".

 

luckily i didn't know how to "enable editing", it turned out the .doc contained a macro that would run some kind of script to steal info.

 

i have been opening scamming emails and going to phishing sites for years, this is the first time i got had by these.

i think mainly it's because i was expecting a reply from someone with EXTREMELY similar email address, and it was 7am this morning, so i wasn't fully awake.

 

anyways, i just thought it's interesting.

 

has anybody encountered other methods of unconventional scams??

 

[whm1974]

8 hours ago, James Evens said:

Always disable Macros in Office (under security center or so is the setting).

If your organization requires macros I am sorry for you.

Are there any reasons to use Macros? And why didn't Microsoft fix the flaw allowing Macro Malware to begin with?

[captain_to_fire]

3 hours ago, whm1974 said:

Are there any reasons to use Macros? And why didn't Microsoft fix the flaw allowing Macro Malware to begin with?

Macros are useful for automating routine tasks like in Excel which many financial institutions use. Microsoft implemented mitigations against macro based attacks with AMSI, something that they’ve licensed to other security vendors. Also, there are ways to secure Macros like only allowing signed Macros within an organization. 
 

12 hours ago, Error 504 said:

has anybody encountered other methods of unconventional scams??

We have but so far Microsoft 365’s scanning of spam emails has been good. I don’t think we have a spear phishing email just yet, it’s mostly mass distribution spam. We have educated our employees not to click on suspicious emails and since we use M365 Business Basic, everything is done on the web browser. 
 

12 hours ago, Error 504 said:

-snip-

 

I hope you’re doing that on a VM or in another machine on its own network. 

[kirashi]

13 hours ago, Error 504 said:

today i got an email from a window salesperson i contacted ONE TIME about three years ago.

there is this word document attached to the email. (actually a .zip file with .doc in the package)

 

of course it's fishy, but it's a .doc file, and i do like opening obviously-scam emails and see what's new in the scam world.

so i downloaded and opened the .doc, and it talked about something like, "this document was created using an older version of word" and i need to enable "editing function".

 

luckily i didn't know how to "enable editing", it turned out the .doc contained a macro that would run some kind of script to steal info.

 

i have been opening scamming emails and going to phishing sites for years, this is the first time i got had by these.

i think mainly it's because i was expecting a reply from someone with EXTREMELY similar email address, and it was 7am this morning, so i wasn't fully awake.

 

anyways, i just thought it's interesting.

 

has anybody encountered other methods of unconventional scams??

 

This isn't new; documents with malicious macro's go back to when people were first able to attach documents to emails. Easy way to avoid them - NEVER open any documents you didn't write yourself.

[Wictorian]

Why did they zip the file?

 

[Lurick]

4 hours ago, Wictorian said:

Why did they zip the file?

 

Generally archived files aren't scanned by default on most AV solutions and something the user has to enable so they did it to try and bypass that I would assume.

[Wictorian]

5 minutes ago, Lurick said:

Generally archived files aren't scanned by default on most AV solutions and something the user has to enable so they did it to try and bypass that I would assume.

Bruh that should be default.. Really it is weird..

[Lurick]

1 minute ago, Wictorian said:

Bruh that should be default.. Really it is weird..

Well I think it comes down to how big of an archive you want to scan so it's usually off by default so they don't end up scanning gigabyte size archives and taking forever.