Email claims that a suspicious logon attempt to your account was detected and you should therefore open an attached report to view further details.
The email is bogus. It is not from the company named as the sender and the ‘suspicious logon attempt’ claim is just a trick designed to get you to open the attached file. The attached .zip file harbours a Microsoft Word document that contains a malicious macro. If allowed to run, the macro can download and install malware.
Subject: Account Compromised
Suspicious logon attempt to your account was detected (Chrome browser, IP-address: [removed])
Reason: unusual IP
Please refer to the attached report to view further detailed information.[Name of company removed]
tel. [removed]Email has an attached file called ‘Security Notification.zip’. The .zip file contains a Microsoft Word file called ‘security_report[random numbers].doc’.
According to this email, which has the subject line ‘Account Compromised’, a ‘suspicious logon attempt’ to your account has been detected. The message lists the type of browser used in the login attempt as well as the supposed attacker’s IP address. It suggests that you refer to an attached report to access further information. The email also includes the name and phone number of the company that supposedly detected the compromise and sent the warning.
However, the email is not a valid security warning and it was not sent by the company it mentions. Instead, the email is an attempt by criminals to trick you into allowing malware to be installed on your computer.
If you open the attached .zip file in the hope of reading more information about the supposed compromise, you will find that it contains a seemingly innocuous Microsoft Word document. However, if you then attempt to open the Word document, you will receive a message stating that you need to enable macros to view the contents. Alas, the macro is malicious and, if you enable macros as requested, it will download and install malware on your computer.
The exact type of malware that is downloaded by the macro may vary. In some cases it may install malware that can steal sensitive information such as banking passwords from your computer. In other cases it may install ransomware that can lock your computer’s files and then demand that you pay a ransom to online criminals to receive an unlock key.
Details in these emails, including the name and number of the company that supposedly sent them and the listed browser and IP address may vary. Keep in mind that the companies listed as the senders in these emails are in no way responsible for the malware attacks. The criminals have simply used these company names to make their messages appear legitimate.
Macro malware attacks are increasingly common. Be wary of any email with an attachment that claims that you must enable macros to view the content. There is no reason why you should need to enable macros just to view an ordinary document such as an invoice or security report. Unless you have a specific need to use macros and understand their potential risks, you are best to leave macros disabled.
If your unfamiliar with macros, you can read more about them here.
Last updated: May 25, 2016
First published: May 25, 2016
By Brett M. Christensen