Hackers use corrupted ZIP files and Office documents to bypass antivirus and email protection

December 4, 2024Ravie LakshmananEmail Security/Malware

Cybersecurity researchers have highlighted a novel phishing campaign that uses corrupted Microsoft Office documents and ZIP archives to bypass email defenses.

“The ongoing attack bypasses #antivirus software, prevents uploads to sandboxes, and bypasses Outlook’s spam filters, allowing the malicious emails to reach your inbox,” ANY.RUN said in a series of posts on X.

The malicious activity involves sending emails containing ZIP archives or Office attachments that are intentionally corrupted so that security tools cannot scan them. These messages aim to trick users into opening the attachments with false promises about employee benefits and bonuses.

In other words, the corrupted state of the files means that email filters and antivirus software will not flag them as suspicious or malicious.

However, the attack still works as it leverages the built-in recovery mechanisms of programs like Word, Outlook, and WinRAR to restart such corrupted files in recovery mode.

ANY.RUN has revealed that the attack technique has been used by threat actors since at least August 2024, describing it as a potential zero-day attack exploited to evade detection.

The end goal of these attacks is to trick users into opening booby-trapped documents embedded with QR codes that, when scanned, redirect victims to fraudulent websites for malware delivery or fake login pages for stealing credentials.

The findings further illustrate how criminals are constantly searching for previously unknown techniques to bypass email security software and ensure their phishing emails end up in victims’ inboxes.

“Although these files function successfully within the operating system, they remain undetected by most security solutions because the proper procedures for their file types are not applied,” ANY.RUN said.

“The file remains undetectable by security tools, but user applications process it smoothly due to built-in recovery mechanisms that are exploited by attackers.”