A new malware threat is working its away around the web over the last 48 hours. We have started seeing instances of malicious pieces of spam hit our servers. The emails are meant to appear as an Invoice that includes a word (.doc) file or other documents that are compressed and attached as a .zip file.
The .doc documents generally contain malicious macros. A macro is a series of commands and instructions that can be grouped together as a single command to accomplish a task automatically. Macros are often used by spammers to perform malicious tasks when working with a document.
These particular emails are targeted at Windows and Microsoft Office users. Users that open the attachment with Apple or Android devices as well as Office alternatives such as LibreOffice and OpenOffice should be safe, but do not enable macros if asked by the attached file.
The email begins as a very simple plain text email pretending to be an email from a vendor with an invoice attached, as seen in the examples below. I would like to point out that in an effort to evade filters or at least make blocking these a bit harder, the spammer has been utilizing .doc files which are commonly emailed file types. The attachment usually has a basic name such as invoice.doc, batch.doc, etc.
As for the .zip files, these emails could contain an infected .doc file or many other malicious items such as Ransomware. Ransomware is a very malicious and nasty bug. Not only does it encrypt local files, but it also seeks out and encrypts attached storage as well as network shares and encrypts everything on those as well. It then prompts the user to pay a ransom to decrypt the files.
When you receive emails such as this, please make sure to review the company being referenced as well as the sender's address. Some of these emails are using a spoofing technique to spoof your domain to appear as though it is from an email address on your own domain. In most instances, the addresses are addresses that are not valid hosted addresses on your domain. It is important to be aware of the valid email addresses for your domain.
We are currently taking steps to adjust the filters on our end to capture similar emails going forward. If at anytime you are skeptical of an email you have received, please feel free to reach out to us for assistance at firstname.lastname@example.org. You can also find some additional steps on how to handle suspicious emails here.
You can also scan suspicious files and URLs using VirusTotal, located here.
Examples of the referenced spam: