Corrupted Word Attachment Uses QR Code to Bypass Scanners and Phish Microsoft 365 Credentials
Attack Overview
Step 1: Email
The attacker sends a benefits-themed email with a Microsoft Word attachment. The document appears corrupted, which allows it to bypass many traditional scanners.
- Attachment is a Word doc intentionally structured to seem broken.
- Email content refers to HR benefits to entice user interaction.
- The attachment bypasses analysis due to apparent corruption.
Step 2: Recovered File and QR Code
Despite appearing broken, the document can be opened using Microsoft Office’s built-in file recovery. It contains company branding, personalized content, and a QR code.
- Microsoft Office’s recovery renders the file readable.
- Includes target company logo and employee name.
- Contains a QR code intended for mobile scanning.
Step 3: QR Code Redirects to Phishing Site
When scanned, the QR code directs the target to a spoofed Microsoft 365 login page designed to capture credentials.
- No URLs in the email body—phishing link is in the QR code.
- Page mimics Microsoft branding.
- Target credentials are stolen upon submission.
How Does This Attack Bypass Email Defenses?
This email attack bypasses traditional security solutions for several reasons, including:
- Corrupted attachments are often skipped by scanners.
- Email passed SPF/DMARC authentication checks.
- The phishing link is hidden within a QR code inside the document.
How Did Abnormal Detect This Attack?
This attack was detected using AI and ML by analyzing various factors, including:
- Unusual sender behavior and benefits-themed bait content.
- Detection of recoverable attachments flagged as broken.
- QR code analysis and NLP detecting credential phishing intent.
By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.
Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.