Cybersecurity researchers have uncovered a sophisticated phishing campaign that leverages Microsoft Word’s file recovery functionality to bypass email security systems. This newly observed tactic involves sending intentionally corrupted Word documents as email attachments. These attachments evade detection due to their damaged state, though they remain recoverable within the Word application.
The campaign, identified by cybersecurity firm Any.Run, uses emails crafted to appear as communications from payroll or human resources departments. All attachments contain a base64-encoded string (“IyNURVhUTlVNUkFORE9NNDUjIw”), and carry names that allude to common HR-related themes like annual bonuses or quarterly results. Unreadable at first by Microsoft Word, once recovered the file – usually emblazoned with the familiar branding of a well-known media organisation – instructs the user to scan a QR code to access the ‘full’ document. This takes the user instead to a phishing site, where they are asked to input their Microsoft credentials.
A novel evasion strategy
While the objective of stealing login credentials is not new, the use of corrupted Word files is a unique approach to evading detection by security systems. According to Any.Run, these files exploit a gap in many security tools’ ability to analyse corrupted file types. “Although these files operate successfully within the OS, they remain undetected by most security solutions due to the failure to apply proper procedures for their file types,” explained the cybersecurity firm.
Analysis of the campaign’s attachments showed that most were flagged as “clean” or “Item Not Found” on VirusTotal, with only a small number being detected by two antivirus vendors. This could be attributed to the absence of malicious code within the documents, which primarily display the QR code.
Experts warn users to exercise caution with unsolicited emails, especially those containing attachments. Emails from unknown senders should be deleted immediately or verified with a network administrator before opening any files.
Last month, another new evasion tactic involving a ZIP file exploit on Windows systems was identified. Cybersecurity provider Perception Point revealed that threat actors are increasingly using ZIP file concatenation to smuggle malware onto corporate networks. This technique takes advantage of the differing ways various ZIP readers and archive managers process concatenated ZIP files, allowing attackers to hide malicious payloads that evade detection by security solutions and mislead analysts relying on standard ZIP tools.
Read more: Microsoft resolves critical issues in Windows Server 2025 update
