Anatomy of an Attack: Password-Protected Files Attached to Emails

Almost 94% of all malware attacks are delivered via email. Lately we have observed a growing trend of distributing malware through password-protected email attachments.

Related: Microsoft reports a 'leap in attack sophistication'

Example of the attack

The employee receives an email that appears to be from a trusted and well-known sender, or a common brand, with a catchy subject (ex. 'Invoice', 'Payment verification', etc). The email contains an attached file that is zipped and password-protected by the attacker. The password creates the illusion the attachment must contain confidential personal information that had to be secured.

The password to open the file from the zip is included in the email:

Example of the malicious email

Field to enter the password to open the zipped email's attachment

Once the password is entered and the file is opened, the user is infected by the malware. Usually it's a trojan attack.

Emotet trojan hidden in encrypted attachments

The Emotet trojan malware is the most common one we see. It's usually delivered through malspam and phishing emails that contain infected Microsoft Word or PDF files. When opening the file, the victim is tricked into enabling the macros and triggering the malware logic.

As seen on the example below, the victim opened the encrypted, zipped attachment-a Microsoft Word file. That file fakes a Microsoft Office Activation Wizard that urges the recipient to 'Enable Editing' and 'Enable Content' to view and edit the file.

Example of the content of the Emotet infected Microsoft Word document

If the user follows the 'Enable Editing' and 'Enable Content' process, they will enable the malicious macros ingrained in it. And the victim won't even notice it. The file starts to silently run a PowerShell script:

Decoding the script reveals a downloader code:

As a result, Emotet will download and execute additional malware, which will be installed directly on the victim's PC and bypass all possible detection.

Attacks using password-protected zip files (and taking advantage of our social engineering) are virtually invisible to most email filtering techniques.

Learn more about Cyren Inbox Security

Cyren Inbox Security was built to safeguard each and every Microsoft 365 mailbox in your organization. It is a continuous and automated layer of security right in the user mailbox:

● Persistently rescans inbound, outbound and delivered emails in all folders

● Reduces investigative overhead with automated incident and case management workflows

● A seamless mailbox plugin lets users scan and report suspicious emails

Our threat visibility is unsurpassed. Cyren's global security cloud processes 25 billion email and web security transactions every day; identifies 9 new threats and blocks over 3,000 known threats each second.

Ready to play with Cyren Inbox Security for Microsoft 365?Start a 30-day trial, no credit card needed >