Barracuda Networks  flagged a “critical alert” when it detected attack attempts to steal user passwords. This threat lures victims with Microsoft 365 Office files claiming to be tax forms or other official documents; attackers use urgent language to convince people to open the attachment.

Examples of this tactic include files named “taxletter.doc” and phrases like “We are apprising you upon the arisen tax arrears in the number of 2300CAD.” The use of popular file types like Word and Excel, which are globally known and used, further ensures victims will fall for it.

“Today’s documents are far more active … you’re putting in a lot of content, media, links,” says Fleming Shi, senior vice president of technology at Barracuda, comparing this threat with phishing attacks of the past. “Bad guys are leveraging the dynamic, active manner of the documents today to weaponized their files.”

In this case, users are hit with the password stealer when they download and open the malicious document. When the document opens, a macro inside launches PowerShell, which acts in the background while the victim views the document.

Tens of millions of people have been affected by these phishing emails, Shi says, and attackers evade detection by crafting different emails. While Exchange server makes up a large portion of people affected, Shi notes other types of email accounts are also targeted with the malicious files.

“What they do is they rotate the content of the email; they rotate sender information,” he continues. Signature-based systems won’t catch these messages because changing the characteristics of malicious emails changes their fingerprint.

Password theft is increasing overall, a sign of attackers shifting their goals and strategies, Shi explains. Ransomware was big last year; this year, password stealers are appearing in phishing emails, browser extensions, and other programs as criminals hunt login data.

It’s all part of a broader trend of sneaky spearphishing and targeted attacks, he says. Usernames and passwords grant access to multiple systems and applications a particular user is attached to, as well as social media sites and contact lists to fuel future attacks.

“Some attackers try to be like a sleeper cell on your system,” Shi notes. Instead of seeing a red flag, victims will notice subtle clues they have been compromised: their system will slow down; they’ll see more pop-ups. All are signs they’ve lost control of applications on their system.

o recap, the techniques being used in these attacks are: 

  • Phishing: Attackers send emails that encourage recipients to open attachments containing malicious content.  
  • Impersonation: Malicious attachments are disguised as official documents such as important tax forms.  
  • Avoiding Detection: Attackers use trusted file types like Word and Excel to hopefully evade server detection.   

Take Action: 

User Security Training and Awareness — Employees should be regularly trained and tested to increase their security awareness of various targeted attacks. Simulated attack training is by far the most effective form of training.  

Layering employee training with an email security solution that offers sandboxing and advanced threat protection should block malware before it ever reaches the corporate mail server. And, for additional protection against messages that contain malicious links, you can deploy anti-phishing protection that includes Link Protection to look for links to websites that contain malicious code. Links to these compromised websites are blocked, even if those links are buried within the contents of a document. 

Working with an IT Support Managed Services Company that offers a more secure Hosted Exchange Email System is recommended