Convincing Spam Emails Contain Macro Malware

Email has long been the preferred method of communication for businesses and individuals across the internet. Unfortunately, with the popularity of this medium and the fact that it can be relatively insecure, email has also been a preferred method of delivering malware, viruses, and bad times. Recent news has much of the same—we're seeing an increase in malicious spam emails containing Microsoft Office documents (.doc, .docm) littered with virus-downloading macros.

For those of you who might not be familiar with macros, they are "a series of commands and instructions that you group together as a single command to accomplish a task automatically." Macros are a great tool for automating some of those monotonous processes in your everyday life, whether it's sending mass-emails based on data, creating forms that submit data to a database, and so many more tasks. With their relatively wide nature of abilities, macros have long been the method of scammers to download malicious payloads to computers to harvest data, including logins, passwords, banking information, and just about anything else that you might use on your computer.

The worst part about these emails? Well, as with the rest of the internet, phishing has become more sophisticated over time. With each passing day, phishing emails look more and more like the real thing, even going as far as to copy the email template, colors, layouts, and even links that the real company or service would use. This means that, for the majority of casual internet users, you might not even notice or be aware that the email you're looking at is actually malicious spam.

How these malicious emails work is even more interesting, especially if you're a Microsoft Outlook user. The idea of it all is to convince you, the person who received the email, that it is legitimate enough to open and download the file. In one method, the "phisher" provides a link to a website to download the information—this ends up being the lesser of the two evils because you can simply not visit the link and you're golden. In the more prevalent method, the document file is attached right to the email ready for you to download and open. This document usually contains a macro that directs your computer to access a payload on the internet and download it. This payload can be any number of viruses, malware, or other malicious software, and is downloaded either when you open the document or when you close it.

If you use Microsoft Outlook as your primary email application, you could be in a bit more trouble than other users. Outlook has a feature built into it where it can preview the attachment right in the application. This means that Outlook opens the file for you so you can see what might be inside of it at a glance. In doing so, however, it can potentially open you up to these malicious payloads without you even downloading the document to your computer. This feature, as well as running macros automatically, can be turned off (and, for safety's sake, should be) from within your "Trust Center" settings inside of your Microsoft Office applications, but are enabled by default.

Here is an example of one of these emails:
Document Macro Malware Example Email A relatively sophisticated email that looks like it came from Bank of America. There are some discrepancies, however.

Because of the obvious security implications, any identifying information was redacted, but this image still gets the point across. As you can see, an email looking suspiciously like a payment request from Bank of America was received, complete with an Account Number. Now, as a financial manager of a business, who might also work with Bank of America, this email might send you into a panic. Almost $900 of overdue and unpaid bills, in an email that came less than one week from the due date, would lead anyone into a panic.

There are some key features to see in this email, and we've highlighted them with colored boxes. First is the blue box at the top of the image. Take a look at the sender's address: <billpay@billpay.bankofamerica.comfguzman@valleorganico.cl>. This should be a strong indicator that the email is fake/malicious, as it's not coming from the proper <bankofamerica.com> domain. The section after the last "@" is the important part that tells you where the email is coming from, and in this case, it's coming from <valleorganico.cl>, an organic produce vendor out of Mexico.

Now, this doesn't necessarily mean that Valle Organico is actually sending you these emails, and is a malicious company. More accurately, somebody probably compromised their server using this phishing attempt, and it has become a part of a large chain of servers and emails being used to get more data and reach more people. Our recommendation is always to check exactly where the email is coming from, especially if you're unsure/confused about something in it. This is the first line of defense when it comes to protecting yourself from maliciously-intended emails.

The second feature, marked with the red box, is the download link we mentioned above. This ends up being one of the phishing attempts that has you visit a website to download the malicious document. This should be a flag in-and-of itself when it comes to making online payments like this. Almost every service allows you to check on the status of your account through an online portal. You should log into your account directly from the (in this case) Bank of America website, and navigate from there to view your bills and payments. Just think about this, if you could just click a link to see all of the information pertaining to the account, the payments, and the balance, wouldn't you start questioning Bank of America's security? No log-in, no password—just free information, for anyone to see.

Now, this isn't to say that a real Bank of America invoice wouldn't have a link exactly like this (and it probably does), what we're saying is that if you receive an email like this, for your security and peace of mind, you should visit the website directly, rather than trusting a link in an email to take you to the correct place.

Here is a slightly less sophisticated email:
Document Macro Malware Example, with Attachment A lesser phishing attempt, with attached .doc file and compromised email server.

This email is obviously a lot less sophisticated, and has less to it, but could still be seen as legitimate by the ill-informed or unsuspecting user. Taking a first look at this email, we can again check the sender's address, again in the blue box. Even though the display is "David," the email is from a <sexyjeans.com.mx> address. This isn't an address that has any relevance to the information in the email, and it doesn't give a ton of information. What it does give, however, is the first point of questioning. A quick Google search for that domain shows it's an out-of-country denim jean retailer, which should be odd considering the email wasn't branded as such.

Secondly, we see there is an attachment (again in red), specifically a document with the ".doc" extension. Let's talk about that extension for a moment: it's an extension that hasn't actively been used since Microsoft released the ".docx" format in 2007. This should really be the first indicator that something is up. There isn't a single business that benefits from sending invoices/payment request/etc. through a fully editable document format like ".doc" or ".docx" even. PDFs have been the standard for this sort of communication for the longest time, and have added security benefits over document formats.

We can also look at the verbiage (although sparse) of the email to give us more of an idea if it should be disregarded. Generally speaking, most professional communication is written with proper grammatical and syntactical structure. Anything less than this can automatically be flagged as suspicious—just think about the way you email your clients. Do you want them to trust you, and the authority your brand has? You certainly won't get that trust by typing like you don't have a grasp on the language, or simply don't care.

The final point we want to touch on about this email is one of email etiquette. For all intents and purposes, any professional company reaching out to you should have some sort of branding in their email, be it a logo, signature, contact information, or something to actively tie the email user to the business. While this doesn't always mean that the email is secure (like in the case of the Bank of America email above), it's a good starting place for understanding who, what, and where an email is coming from. Any email requesting your input, whether data-based or monetarily, should have confidence-establishing factors to provide you, the user, peace of mind when giving away that information.

Now you might be asking yourself, "If phishers are getting more sophisticated, how will I protect myself and/or my business?" Well, we mentioned a few steps above but let's put them together here:

  1. Disable Previews and Automatically Running Macros in your Microsoft Office Applications (if applicable)

  2. If the email looks suspicious, be suspicious of it. Google can be a huge tool when determining what is real, and what isn't.

  3. When in doubt, ask someone. If you're one of our clients, feel free to email our support email for more information.

  4. To protect your business, set a standard of using modern and secure methods of transmitting data, so the antiquated or less secure methods are easy to spot.

  5. Remember that if it seems too good to be true, it definitely is too good to be true—especially on the internet.

Now, if you are a client of ours at Armor Techs, you have an added security benefit. As of September 25th, we have disabled the ability to send ".doc" files through email. Now, this might seem like an inconvenience to some of you, and this view is understandable. The fact of the matter is, like we mentioned before, that ".doc" file extensions haven't been the best, or most secure, for documents since 2007. You should be doing yourself and your business a favor and using this modern format for added security and peace of mind. Plus, when sending out vital payment-related information, it should be sent in a format that isn't editable such as a PDF. This ensures that your data is accurate, and that you don't have communication problems with clients, especially tech-savvy clients that might try to manipulate or trick you for whatever reason.

If ".doc" is something you just aren't willing to give up, you can still send those over email on our server with just one added step. Simply put the document into a zip archive of some sort, whether using 7Zip or WinRAR or even WinZip. Creating this archive will prevent the preview functionality from working, and required the recipient to extract the file to view it, but will still allow you to send the file without issues. Windows (after Windows 7) will let you create archives without installing external applications, all you need to do is right click, select "Send To," and then select "Compressed (zipped) folder."