All malware is not created equal.  This week a particularly devious piece landed in an MRU inbox.  It was wrapped up in a zip file attachment. Here is what the malicious email looked like:

 

 

This malicious email is hard to identify as it contains a previously sent email thread. Interestingly enough, there is no human behind this email. It was sent by malware. When it gets on your machine it picks an email in your inbox and replies to it. Sending a copy of itself to an unsuspecting recipient.

The email is generic enough to work with pretty much any email. However it is the vagueness that flags it as suspicious.  The other tell is the sender’s email address. Because this is malware and not a person sending out the email, the sender’s email address is incorrect.

If you decide to click and open the attachment, you see an Excel spreadsheet with this in the first cell.

 

 

If you missed the other two red flags, this one is your last chance to dodge the bullet. This very official looking graphic is asking you to enable editing and content to be able to “decrypt” the document  It is also telling you what type of device to use to view it.  Anytime you have this kind of instruction given to you to view a document, close it immediately and report it.

The instructions are not there to enable you to view the document. They are there to ensure the malware can be installed and will function.  By asking you to enable editing and content, it is bypassing the safety controls we have in place to prevent the running of macros. It is not “decrypting” anything.  If you can’t open a document just by clicking on it, consider it a threat.

This is another reminder how important it is to check the sender’s email address before you open an attachment or click on a link.  If you recognize it, contact the sender using another method and confirm that they sent the email. If you don’t recognize it, don’t click. You wouldn’t take candy from a stranger, you shouldn’t take attachments from them either;  no matter how enticing they are.