Bogus ‘Account Compromised’ Email Contains Macro Malware

Email claims that a suspicious logon attempt to your account was detected and you should therefore open an attached  report  to view further details.

Brief Analysis:
The email is bogus. It is not from the company named as the sender and the ‘suspicious logon attempt’ claim is just a trick designed to get you to open the attached  file.  The attached .zip file harbours  a Microsoft Word document that contains a malicious macro. If allowed to run, the macro can download and install  malware.

Subject: Account Compromised

Suspicious logon attempt to your account was detected (Chrome browser, IP-address: [removed])
Reason: unusual IP
Please refer to the attached report to view further detailed information.[Name of company removed]
tel. [removed]Email has an attached file called ‘Security Notification.zip’. The .zip file contains a Microsoft Word file called ‘security_report[random numbers].doc’.

Detailed Analysis:
According to this email, which has the subject line ‘Account Compromised’, a ‘suspicious logon attempt’ to your account has been  detected. The message lists the type of browser used in the login attempt as well as the supposed attacker’s IP address. It suggests that you refer to an attached report to access further information. The email also includes the name and phone number of the company that supposedly detected the compromise and sent the warning.

However, the email is not a valid security warning and it was not sent by the company it mentions. Instead, the email is an attempt by criminals to trick you into allowing malware to be installed on your computer.

If you open the attached  .zip file in the hope of reading more information about the supposed compromise, you will find that it contains a seemingly  innocuous Microsoft Word document. However, if you then attempt to open the Word document, you will receive a message stating that  you need to enable macros to view the contents. Alas, the macro is malicious and, if you enable macros as requested, it will download and install malware on your computer.

The exact type of malware that is downloaded by the macro may vary. In some cases it may install malware that can steal sensitive information such as banking passwords from your computer. In other  cases it may install ransomware that can lock your computer’s files and then demand that you pay a ransom to online criminals to receive an unlock key.

Details in these emails, including the name and number of the company that supposedly sent them and the listed browser and IP address may vary. Keep in mind that the companies listed as the senders in these emails are in no way responsible for the malware attacks. The criminals have  simply used these company names to make their messages appear legitimate.

Macro malware attacks are increasingly common. Be wary of any email with an attachment that claims that you must enable macros to view the content.  There is no reason why you should need to enable macros just to view an ordinary document such as an invoice or security report. Unless you have  a specific need to use macros and understand their  potential risks, you are best to leave macros disabled.

If your unfamiliar with macros, you can read more about them here.


Last updated: May 25, 2016
First published: May 25, 2016
By Brett M. Christensen
About Hoax-Slayer

Macro Virus Threat Returns – Beware Emails With Malicious Word Attachments
Suspicious logon attempt or Account Compromised leads to Dridex
Malware Threat Articles


Original Source : https://www.hoax-slayer.net/bogus-account-compromised-email-contains-macro-malware/