Zero-Day Exploit Leverages Corrupted Files to Slip Past Defenses

Executive Summary

A phishing vulnerability has been recently uncovered with attachments received via email for Microsoft Office files. Customers should maintain high vigilance against phishing emails, and if you are unsure of the email’s the legitimacy, please forward it to your support team for confirmation. This new vulnerability arises from improperly downloading and executing attachments from emails that evade security defenses.

Details

Attackers have identified a new methodology to distribute  corrupted Microsoft Office files via phishing emails, these files have the ability to evade detection by email security systems due to their malformed state. Upon user interaction, Microsoft Office prompts the recipient with a “Repair” option. If the user consents, the application “repairs” the file, effectively reconstructing and activating the embedded malware.

This tactic utilizes the following processes:

• Payload Deployment: During the repair process, the malicious code embedded in the file is reconstructed into a functional state, triggering its execution.
• Initial Delivery: Corrupted files are disseminated through phishing campaigns or malicious links. The files are strategically malformed to prevent thorough analysis by email filters and antivirus tools.
• Exploit Activation: Once the file is opened, Microsoft Office identifies it as corrupted and offers to repair it.

Impact

This attack allows remote threat actors to:

• Deploy ransomware or spyware.
• Establish backdoor access for further exploitation.
• Exfiltrate sensitive data or propagate malware across networks.

The potential for operational disruption and data compromise underscores the critical nature of this vulnerability.

Mitigation Strategies

Organizations should implement the following technical measures to address this threat:

• Email Security Enhancements:
  • Integrate advanced email filtering solutions capable of identifying atypical file characteristics.
    Utilize sandboxing technologies to analyze suspicious files in a controlled environment before delivery.
• Endpoint Hardening:
  • Disable Microsoft Office’s file repair functionality for non-administrative accounts where feasible.
  • Implement endpoint detection and response (EDR) systems to monitor and respond to abnormal file behavior.
• Network-Level Defenses:
  • Employ network segmentation to limit the lateral spread of malware.
  • Monitor for anomalies in file repair requests and unauthorized file executions.
• Proactive Patch Management:
  • Regularly update software, particularly productivity suites like Microsoft Office, to mitigate known vulnerabilities.
• User Training:
  • Educate employees on the risks of opening and repairing unknown or suspicious files

Contributing Authors:

• Ismael Belem, Cyber Analyst II
• Jai Goodsell, Cybersecurity Engineer
• Craig Taylor, Director Security Operations Center
• Nima Khamooshi, Vice President, Cybersecurity