What is a Spearphish?
A malicious email that targets an individual which appears to be from a trusted sender. The spearphish will contain a link or attachment that appears to be safe to open. If the link is clicked or the attachment opened, malicious software can be silently installed on the computer. This gives the cybercriminals remote access to the computer who can then steal all the individual’s personal information, business files, and passwords stored on the hard drive and network shared folders as well as search for and compromise other computers in the organization in order to steal more data.
Examples of Suspicious Attachments
Note: The following are tested on Windows 10 and Office 2013 (other versions may display different messages or none at all).
Click on the images to enlarge them.
1. Word Macro — Word file (.doc, .docm) contains a script. Warning appears in yellow bar at the top.
2. Excel Macro — Excel file (.xls, .xlsm) contains a script. Warning appears in yellow bar at the top.
3. Word VBS 1 — Word file (.doc) contains a script. Warning appears if script is double-clicked.
4. Word VBS 2 — Word file (.docx) contains a script. Warning appears if script is double-clicked.
5. Acrobat Script — PDF file (.pdf) contains a script. Warning appears.
6. CVE-2017-0199 — Word file (.doc) contains an exploit. Warning appears.
7. CVE-2012-0158 a-d — Word file (.doc) contains an exploit. Additional Office components is installed then document is converted but no warning appears.
8. CVE-2017-8759 — Word file (.doc) contains an exploit. Warning appears.
9. PowerPoint — PowerPoint file (.ppsx) contains a script that activates when user mouseovers the link. Warning appears.
10. Word DDE — Word file (.docx) contains a link. Warning appears.
11. Word Callback — Word file (.doc) contains link. No warning in Word 2010.
12. Acrobat Word — PDF file (.pdf) contains Word doc. Warning appears.
13. CVE-2017-11882 — Word file (.doc) contains an exploit. No warning.
14. Excel Package — Excel file (.xlsx) contains a script. Warning appears.
15. OneNote — OneNote file (.one) contains Word doc. No warning.
16. CSV a-b — CSV file (.csv) opened in Excel which contains a link. Warning appears.
17. Email Resume — Email contains webbug. Missing graphic icon appears if image download is blocked.
What should I do if I receive a spearphish?
Ask the sender to confirm he/she sent it (preferably via telephone call), scan the attachment with anti-virus, and report it to your department’s IT staff.
The following emails would be considered suspicious:
- Email with a link or attachment from someone you don’t know or from an odd email address, e.g. firstname.lastname@example.org, email@example.com
- Email with a link or attachment from someone you do know but the message looks odd, e.g. weird punctuation or grammar, wrong salutation or valediction
- Email with a link or attachment that references a resume, survey, or questionnaire
- Older Microsoft Office attachments with 3-letter file extensions, e.g. .csv, .rtf, .doc, .xls, .ppt
- Newer Microsoft Office attachments with 4-letter file extensions that contain macros (ends with “m”), e.g. .docm, .xlsm, .pptm, .dotm, .xltm, .potm
- Attachments that have strange file extensions, e.g. .chm, .hta, .js, .jse, .lnk, .sct, .vbe, .vbs
- Keep in mind that attachments may be zipped with or without a password, and could come from your own staff and even be a response to something you previously sent to them
If you opened the attachment and notice the following, STOP!, disconnect the network cable from your computer, and scan your computer with anti-virus:
- The attachment contains an embedded document, e.g. Excel file embedded in a OneNote file, Word file embedded in a PDF document, Word contains an empty box
- A popup box appears that prompts you to continue, e.g. security warning, alert message
- The contents of the attachment is missing or contains gibberish
- You see a rectangle black window (DOS window) appear then disappear quickly while the attachment is opened or soon after you close it
What Can I Do To Prevent This?
- Be attentive to emails with links and attachments
- Disable macros in Microsoft Office applications (Word, Excel, PowerPoint)
- Disable automatic image downloads in email clients, webmail, and smartphone apps
- Ensure your computer is updated with all the latest security patches (including the OS, Microsoft Office, email clients, and web browsers)