Home Malware Bogus ‘Account Compromised’ Email Contains Macro Malware

Bogus ‘Account Compromised’ Email Contains Macro Malware

by Brett M. Christensen

Email claims that a suspicious logon attempt to your account was detected and you should therefore open an attached report to view further details.

Brief Analysis:
The email is bogus. It is not from the company named as the sender and the ‘suspicious logon attempt’ claim is just a trick designed to get you to open the attached file.  The attached .zip file harbours a Microsoft Word document that contains a malicious macro. If allowed to run, the macro can download and install malware.

Subject: Account Compromised

Suspicious logon attempt to your account was detected (Chrome browser, IP-address: [removed])
Reason: unusual IP
Please refer to the attached report to view further detailed information.[Name of company removed]
tel. [removed]Email has an attached file called ‘Security Notification.zip’. The .zip file contains a Microsoft Word file called ‘security_report[random numbers].doc’.

Detailed Analysis:
According to this email, which has the subject line ‘Account Compromised’, a ‘suspicious logon attempt’ to your account has been detected. The message lists the type of browser used in the login attempt as well as the supposed attacker’s IP address. It suggests that you refer to an attached report to access further information. The email also includes the name and phone number of the company that supposedly detected the compromise and sent the warning.

However, the email is not a valid security warning and it was not sent by the company it mentions. Instead, the email is an attempt by criminals to trick you into allowing malware to be installed on your computer.

If you open the attached .zip file in the hope of reading more information about the supposed compromise, you will find that it contains a seemingly innocuous Microsoft Word document. However, if you then attempt to open the Word document, you will receive a message stating that you need to enable macros to view the contents. Alas, the macro is malicious and, if you enable macros as requested, it will download and install malware on your computer.

The exact type of malware that is downloaded by the macro may vary. In some cases it may install malware that can steal sensitive information such as banking passwords from your computer. In other cases it may install ransomware that can lock your computer’s files and then demand that you pay a ransom to online criminals to receive an unlock key.

Details in these emails, including the name and number of the company that supposedly sent them and the listed browser and IP address may vary. Keep in mind that the companies listed as the senders in these emails are in no way responsible for the malware attacks. The criminals have simply used these company names to make their messages appear legitimate.

Macro malware attacks are increasingly common. Be wary of any email with an attachment that claims that you must enable macros to view the content.  There is no reason why you should need to enable macros just to view an ordinary document such as an invoice or security report. Unless you have a specific need to use macros and understand their potential risks, you are best to leave macros disabled.

If your unfamiliar with macros, you can read more about them here.


Last updated: May 25, 2016
First published: May 25, 2016
By Brett M. Christensen
About Hoax-Slayer

Macro Virus Threat Returns – Beware Emails With Malicious Word Attachments
Suspicious logon attempt or Account Compromised leads to Dridex
Malware Threat Articles


Importance Notice

After considerable thought and with an ache in my heart, I have decided that the time has come to close down the Hoax-Slayer website.

These days, the site does not generate enough revenue to cover expenses, and I do not have the financial resources to sustain it going forward.

Moreover, I now work long hours in a full-time and physically taxing job, so maintaining and managing the website and publishing new material has become difficult for me.

And finally, after 18 years of writing about scams and hoaxes, I feel that it is time for me to take my fingers off the keyboard and focus on other projects and pastimes.

When I first started Hoax-Slayer, I never dreamed that I would still be working on the project all these years later or that it would become such an important part of my life. It's been a fantastic and engaging experience and one that I will always treasure.

I hope that my work over the years has helped to make the Internet a little safer and thwarted the activities of at least a few scammers and malicious pranksters.

A Big Thank You

I would also like to thank all of those wonderful people who have supported the project by sharing information from the site, contributing examples of scams and hoaxes, offering suggestions, donating funds, or helping behind the scenes.

I would especially like to thank David White for his tireless contribution to the Hoax-Slayer Facebook Page over many years. David's support has been invaluable, and I can not thank him enough.

Closing Date

Hoax-Slayer will still be around for a few weeks while I wind things down. The site will go offline on May 31, 2021. While I will not be publishing any new posts, you can still access existing material on the site until the date of closure.

Thank you, one and all!

Brett Christensen,