What is a Spearphish?
A malicious email that targets an individual which appears to be from a trusted sender. The spearphish will contain a link or attachment that appears to be safe to open. If the link is clicked or the attachment opened, malicious software can be silently installed on the computer. This gives the cybercriminals remote access to the computer who can then steal all of the individual's personal information, business files, and passwords stored on the hard drive and network shared folders as well as search for and compromise other computers in the organization in order to steal more data.
Examples of Suspicious Attachments
Note: The following are tested on Windows 10 and Office 2013 (other versions may display different messages or none at all).
Click on the images to enlarge them.
1. Word Macro - Word file (.doc, .docm) contains a script. Warning appears in yellow bar at the top.
7. CVE-2012-0158 a-d - Word file (.doc) contains an exploit. Additional Office components is installed then document is converted but no warning appears.
17. Email Resume - Email contains webbug. Missing graphic icon appears if image download is blocked.
What should I do if I receive a spearphish?
Ask the sender to confirm he/she sent it (preferably via telephone call), scan the attachment with anti-virus, and report it to your department's IT staff
The following emails would be considered suspicious:
- Email with a link or attachment from someone you don't know or from an odd email address, e.g. email@example.com, firstname.lastname@example.org
- Email with a link or attachment from someone you do know but the message looks odd, e.g. weird punctuation or grammar, wrong salutation or valediction
- Email with a link or attachment that references a resume, survey, or questionnaire
- Older Microsoft Office attachments with 3-letter file extensions, e.g. .csv, .rtf, .doc, .xls, .ppt
- Newer Microsoft Office attachments with 4-letter file extensions that contain macros (ends with "m"), e.g. .docm, .xlsm, .pptm, .dotm, .xltm, .potm
- Attachments that have strange file extensions, e.g. .chm, .hta, .js, .jse, .lnk, .sct, .vbe, .vbs
- Keep in mind that attachments may be zipped with or without a password, and could come from your own staff and even be a response to something you previously sent to them
If you opened the attachment and notice the following, STOP!, disconnect the network cable from your computer, and scan your computer with anti-virus:
- The attachment contains an embedded document, e.g. Excel file embedded in a OneNote file, Word file embedded in a PDF document, Word contains an empty box
- A popup box appears that prompts you to continue, e.g. security warning, alert message
- The contents of the attachment is missing or contains gibberish
- You see a rectangle black window (DOS window) appear then disappear quickly while the attachment is opened or soon after you close it
What Can I Do To Prevent This?
- Be attentive to emails with links and attachments
- Disable macros in Microsoft Office applications (Word, Excel, PowerPoint)
- Disable automatic image downloads in email clients, webmail, and smartphone apps
- Ensure your computer is updated with all the latest security patches (including the OS, Microsoft Office, email clients, and web browsers)