Cybersecurity Blog

ALERT – Word macro virus circulating through Mount Royal University – 11/20/17

Last week I posted about a scary new phishing email making the rounds. This phishing email is hard to detect because if appears as a reply to a previous email and it comes from someone you know. The email reads as follows:

Morning,

Please see attached and confirm.

A Word document is attached to the email.  If you open the email you get the following notification.

If you follow these instructions,  you give Word permission to run the malicious macro embedded in the document and your machine is infected with malware.  To make matters worse, it will then send out a similar email reply to select people on your contact list spreading the infection.

Several people in the Mount Royal community have already received this email and opened the attachment.  Their machines were infected and are being re-imaged. We are unable to determine who will receive this phishing email next and it is too new for our anti-virus software to detect.

This is only one example of a whole family of malware that uses Word macros to infect your computer.  The good news is, if you have macros disabled by default and you do not Enable Editing or Enable Content as instructed, you cannot be infected.

Some other examples of fake notifications to look out for are:

In each one of these instances, following the instructions will infect your machine with malware that could spread to friends, family and colleagues.

How to protect yourself from infection:

  • Make sure Word Macros are disabled by default:
    1. Select File>options>Trust Center.
    2. Click the Trust Center Settings button.
    3. Select Macro Settings from the left menu.
    4. Select Disable all macros with notification.
    5. Click the OK button to exit the Trust Center Settings.
    6. Click the OK button to exit the Trust Center.

    Note: Disabling macros in Word does not disable them in Excel and vice versa. You must change the settings in each application.

  • Verify with the sender before opening any attachments.
  • If you are prompted to Enable Editing or Enable Content, ignore the request.  You do not need to Enable Editing or Content to view a document.

If you are unsure about the safety of an attachment, please contact the IT Service Desk. If you think you have received a phishing email, please forward the entire email to abuse@mtroyal.ca.