Spearphishing

What is a Spearphish?

A malicious email that targets an individual which appears to be from a trusted sender. The spearphish will contain a link or attachment that appears to be safe to open. If the link is clicked or the attachment opened, malicious software can be silently installed on the computer. This gives the cybercriminals remote access to the computer who can then steal all the individual’s personal information, business files, and passwords stored on the hard drive and network shared folders as well as search for and compromise other computers in the organization in order to steal more data.

Examples of Suspicious Attachments

Note: The following are tested on Windows 10 and Office 2013 (other versions may display different messages or none at all).

Click on the images to enlarge them.

Word document with text: Document created in earlier version of Microsoft Office Word. To view this content, please click 'Enable Editing' from the yellow bar and then click 'Enable Content'
Excel document with text: Office 365. This document was created with Office 365. In order to view the contents of the survey, Macros must be enabled.

1. Word Macro — Word file (.doc, .docm) contains a script. Warning appears in yellow bar at the top.

2. Excel Macro — Excel file (.xls, .xlsm) contains a script. Warning appears in yellow bar at the top.

Word document with text: 'Protected document. This document is protected in Microsoft Office and requires human verification. Please Enable Editing and Double Click below to prove that you are not a robot.' Image of an open envelope with text: 'Double Click Here to Unlock Contents'
Word document with text: 'Please enable editing mode to view included documents' in a banner. Three Word document icons and titles are listed below.

3. Word VBS 1 — Word file (.doc) contains a script. Warning appears if script is double-clicked.

4. Word VBS 2 — Word file (.docx) contains a script. Warning appears if script is double-clicked.

PDF document with a security popup box saying: 'This document is trying to connect to: drive.google.com. If you trust this site, choose Allow. If you do not trust this site, choose Block.' Text in the document says: 'Your version of Adobe Flash Player is outdated! Please wait while the file is downloading.'
Word document with a security popup box saying: 'This document contains links that may refer to other files. Do you want to update this document with the data from the linked files?' In the document, there is a white square with a black outline as the only content on the page.

5. Acrobat Script — PDF file (.pdf) contains a script. Warning appears.

6. CVE-2017-0199 — Word file (.doc) contains an exploit. Warning appears.

Office loading window with a Windows Installer window over it preparing to install something.
Office loading window with a Windows Installer window over it configuring Microsoft Office Professional Plus 2013.

Office loading window with text: 'Converting: resignation.doc (95%).'
Word document open with seemingly no content and an equals sign randomly on the page

7. CVE-2012-0158 a-d — Word file (.doc) contains an exploit. Additional Office components is installed then document is converted but no warning appears.

Word document with a security popup saying: 'This document contains links that may refer to other files. Do you want to update this document with the data from the linked files?' The Word document has non-English content.
PowerPoint document with a security popup listing the file path to the linked file and stating that PowerPoint has blocked the external program, but that you can re-enable it. Behind it is a slide with a link.

8. CVE-2017-8759 — Word file (.doc) contains an exploit. Warning appears.

9. PowerPoint — PowerPoint file (.ppsx) contains a script that activates when user mouseovers the link. Warning appears.

Word document with a security popup warning about linked files. Behind it is a US SEC seal and approval documentation.
Word 2010 loading window that shows a file being downloaded from an external site.

10. Word DDE — Word file (.docx) contains a link. Warning appears.

11. Word Callback — Word file (.doc) contains link. No warning in Word 2010.

PDF document with a popup asking to open a Word document. The PDF contains the text 'Hello'.
Word document with the heading 'Question about story' and a few questions and spaces to answer. Below that are two white boxes.

12. Acrobat Word — PDF file (.pdf) contains Word doc. Warning appears.

13. CVE-2017-11882 — Word file (.doc) contains an exploit. No warning.

Excel sheet with a security popup warning that the workbook links to external sources.
OneNote document with a lock sign and a message asking you to 'Please double-click to open the document.' a Word document icon with the same name is shown below the message.

14. Excel Package — Excel file (.xlsx) contains a script. Warning appears.

15. OneNote — OneNote file (.one) contains Word doc. No warning.

Excel workbook with a security notice saying the file contains a link that auto-updates the contents.
Excel workbook with a popup saying that the remote data is not accessible and that Excel needs to start another application. It wants to start 'MSEXEL.EXE'

16. CSV a-b — CSV file (.csv) opened in Excel which contains a link. Warning appears.

Email message opened in Outlook with a message about a CV. Attached is what appears to be a PDF, and a broken image link at the bottom of the message.

17. Email Resume — Email contains webbug. Missing graphic icon appears if image download is blocked.


What should I do if I receive a spearphish?

Ask the sender to confirm he/she sent it (preferably via telephone call), scan the attachment with anti-virus, and report it to your department’s IT staff.

The following emails would be considered suspicious:

  • Email with a link or attachment from someone you don’t know or from an odd email address, e.g. navy.ombudsman@yahoo.com, johnn.smith@gmail.com
  • Email with a link or attachment from someone you do know but the message looks odd, e.g. weird punctuation or grammar, wrong salutation or valediction
  • Email with a link or attachment that references a resume, survey, or questionnaire
  • Older Microsoft Office attachments with 3-letter file extensions, e.g. .csv, .rtf, .doc, .xls, .ppt
  • Newer Microsoft Office attachments with 4-letter file extensions that contain macros (ends with “m”), e.g. .docm, .xlsm, .pptm, .dotm, .xltm, .potm
  • Attachments that have strange file extensions, e.g. .chm, .hta, .js, .jse, .lnk, .sct, .vbe, .vbs
  • Keep in mind that attachments may be zipped with or without a password, and could come from your own staff and even be a response to something you previously sent to them

If you opened the attachment and notice the following, STOP!, disconnect the network cable from your computer, and scan your computer with anti-virus:

  • The attachment contains an embedded document, e.g. Excel file embedded in a OneNote file, Word file embedded in a PDF document, Word contains an empty box
  • A popup box appears that prompts you to continue, e.g. security warning, alert message
  • The contents of the attachment is missing or contains gibberish
  • You see a rectangle black window (DOS window) appear then disappear quickly while the attachment is opened or soon after you close it

What Can I Do To Prevent This?

  • Be attentive to emails with links and attachments
  • Disable macros in Microsoft Office applications (Word, Excel, PowerPoint)
  • Disable automatic image downloads in email clients, webmail, and smartphone apps
  • Ensure your computer is updated with all the latest security patches (including the OS, Microsoft Office, email clients, and web browsers)

Don’t Fall for Phishing:
Stop. Examine. Ask. Report.
S.E.A.R. the Phish

SEAR the Phish Logo

SEAR the Phish