CEO Phishing Through a Word Macro

The Network: A prominent hotel chain with several thousand locations worldwide. This problem was at a specific location on the U.S. East Coast.

The Expectation: Prevention defenses are working (Anti-Virus, Next-Gen Firewall) and monitoring is in place to catch what slips thru the prevention layer.

The Catch: Netsurion Intrusion Detection Service identified a possible infection in an email attachment going to the on-premises Microsoft Exchange server.

The Find: As many as 4 dozen users were targeted with a phishing email which contained a malicious attachment (a Microsoft Word document called resignation_letter.doc). An auto enabled macro was embedded in the Word document. Exchange correctly quarantined the emails. However, one user chose to release the email and also double clicked the attachment. Note that the Anti-Virus software failed to catch the Trojan infection.

The Fix: Quarantine the infected laptop. Then review email logs and browser logs to determine possible other infections. And also re-image the infected laptops before returning to service.

The Lesson: The phishing attack vector continues to be a prominent mechanism for malware and ransomware. Netsurion’s Managed Threat Protection can predict, prevent, detect, and help organizations respond to cybersecurity risks.