This is the eighteenth in my Security Series of Connect articles. For more information on how to keep your enterprise environment secure using often-overlooked capabilities of Symantec Endpoint Protection (and the OS upon which it functions), see Mick's Greatest Hits: Index of Helpful Connect Security Articles. This article was last updated in December 2017.
Symantec Security Response and Technical Support are always advising end users, "Be suspicious and think before you click: Never view, open, or execute any email attachment unless you expect it and trust the sender." What exactly do they mean? What should mail recipients be careful about?
Let me show you....
Here's a rogues gallery of screenshots from recent malicious macro spam. Malicious macros are one of the main delivery mechanisms for threats, lately. If you open the email attachment, let the macro run... you're infected. Full details on how to fight threats like this can be found in Support Perspective: W97M.Downloader Battle Plan.
|If you open an unexpected MS Office file that came in through email, and it prompts for action like the screenshots below, DO NOT DO IT.
You won't get to see the document. You will infect your computer and possibly your whole organization with Ransomware. That's bad news.
It's For Your Own Protection
This sample uses Security as a method for Social Engineering the recipient. "This document is protected." That sounds safe!
I can blindly trust whatever random sender mailed it, and follow their prompts to "please click Enable Content", right?
It's a scam.
Here's another trying the exact same trick.
"This document is protected by Microsoft Office and requires human verification. Please Enable Editing and Double Click below to prove that you are not a robot."
Sorry! Not even that primitive evil (but cute) robot from 1986's Deadly Friend would fall for that BLEEP!
Wait Mr. Victim, You're Missing Something
Here's one that pretends that the email attachment cannot properly be viewed until the recipient enables editing and downloads the "Media dynamic content plugin missing."
You're actually not missing anything. It's a fake error. "Please enable Editing and Content to see this document"? No.
Here's another: "Oops, something went wrong.... This document is only available for desktop or laptop versions of Microsoft Office Word. Click enable editing button...."
Nothing has gone wrong- Unless someone clicks and enables!
Here's one: "Microsoft Office has encountered an unknown error while attempting to import image(s). In order to view the full image(s), please press 'Enable Content' above."
Definitely a pattern here. If something unexpected asks you to Enable Content, DON'T.
What If I Ask Nicely?
"The contents of this document require macros to be displayed correctly. In order to view this document, please press Enable Content above."
Even well-mannered MS Word documents that say "please" and "thank you" can be up to no good. Don't click, it's a scam.
It's Not You, It's Me
A big error message "Document created in earlier version of Microsoft Office Word"? That's weird, seeing as my MS Office easily opens every other ancient .doc file created since, what, Office 97?
Don't fall for it! Do not "Enable Editing from the yellow bar and then click Enable Content"!
Packed Full of Goodness!
Oh, this unexpected mail attachment is full of other mail attachments! Boy those look good. I will get a payment if I only "Please enable editing mode to view included documents."
Wait, why isn't the sender putting those in a .zip, .rar, .7z or other normal container-?
Remember: macros are disabled by default in modern Office for good reason. Don't enable them!
A Worldwide Sensation!
The malware distributors try it out in any market where they think they can make money. Here's one in Japanese....
A rough translation for this one is "If you need to keep the compatibility with older version of Excel after conversion Please click [Enable Contents]". それをクリックしないでください！
This targeted Spanish markets.... How tantalizing! I can almost read the blurred text behind this error!
"Error while loading the document. It has been issued an error while loading the document. 1. Microsoft Word macros are disabled causing an unexpected error...." No haga click en este enlace!
That one is Turkish. Malicious macro attachments are circulating in many languages, in many variants, all attempting to trick end users into enabling content.
Sometimes The Creative Juices Just Won't Flow
This one just demands "Enable Editing". Couldn't think of any good reason why someone should, I guess. And too busy to pick a nicer font.
Short answer: nope.
So What Should We Do?
You've received a mail with a macro attachment. How to check it out before enabling anything? Some ideas:
1. Submit the suspicious mail to Symantec Security Response for examination. They will be able to determine if the attachment is malicious or safe.
Symantec Insider Tip: Successful Submissions!
2. Open the attachment with Word Viewer or Excel Viewer instead of the full version of Word or Excel.
3. Pick up the phone and ask the sender, "Hey, did you just send me a document which needs macros enabled?"
4. Ask your IT department, mail security team, well-informed co-worker.... whoever you've got. Get an expert opinion!
5. Open your favorite search engine and type in the attachment name or the text of the prompt message. Does it come back with a lot of hits related to malware?
6. Unless you are certain it is safe, leave it!
Many thanks for reading! And for thinking before opening documents and enabling dynamic content.
This article now has a sequel that will help to identify phishing .pdf attachments:
What NOT to Click 2: The Legend of Curly's Gold
Final word: "When in Doubt, don't click it!"
Please leave comments and feedback below.