Phishers have now devised an innovative and troubling method to bypass email security, utilizing corrupted Microsoft Office files that exploit the predictable behaviors of software recovery processes. This new tactic targets users with enticing messages about payments, benefits, or year-end bonuses through phishing campaigns that send emails with seemingly corrupted attachments such as ZIP or DOCX files. When recipients attempt to access these attachments, they are prompted to recover the document contents using standard recovery features in commonly used software such as Microsoft Word, Outlook, or WinRAR. Following this recovery, users are then directed to scan a QR code that leads to a fake Microsoft login page designed to capture their login credentials.
This phishing strategy effectively sidesteps email security measures, spam filters, and antivirus software detection. Initially, most antivirus solutions monitored by VirusTotal did not flag such corrupted files as harmful because the files often appeared “clean” or resulted in “Item Not Found” outcomes. Active since August 2024, this method not only bypasses traditional security mechanisms but also thwarts attempts to upload these files to sandbox environments for security analysis, making detection even more challenging. The sophistication of this method highlights a significant evolution in phishing tactics, demonstrating the necessity for advancing detection algorithms and strengthening security measures.
The core reason behind the effectiveness of this method lies in its manipulation of software’s built-in recovery processes. By exploiting routines meant to help users retrieve lost or corrupted files, these campaigns gain an advantage, thus delivering malicious payloads undetected. For organizations and individuals, the best line of defense remains a vigilant and cautious approach to handling unexpected email attachments. Verifying the authenticity of any email that includes such attachments before attempting to recover or open the files is paramount in mitigating this threat.
In summary, the use of corrupted documents in phishing campaigns signifies an emerging threat that leverages predictable software recovery behaviors while evading traditional antivirus and email filter protections. This method’s success underscores the need for improved detection technologies and proactive security practices. Users must stay informed and adopt rigorous verification processes to combat this sophisticated phishing technique, ultimately safeguarding their credentials and sensitive information while remaining vigilant against unanticipated email threats.
