Hackers Weaponize Word’s Recovery Tool in Stealthy Phishing Attacks

Hackers Weaponize Word's Recovery Tool in Stealthy Phishing Attacks

Novel Phishing Scheme Leverages Microsoft Word Vulnerability

A new sophisticated phishing campaign has emerged, exploiting Microsoft Word’s file recovery mechanism to bypass security measures. The attack, discovered by Any.Run, specifically targets corporate employees through corrupted documents disguised as HR and payroll communications.

The attackers employ a unique strategy by embedding a base64 encoded string “##TEXTNUMRANDOM45##” within intentionally corrupted Word documents. When opened, these files activate Word’s recovery feature, revealing company-branded content containing QR codes. These codes redirect users to fraudulent Microsoft login pages designed to harvest credentials.

What makes this attack particularly concerning is its ability to evade detection. The corrupted files consistently show minimal to zero detections on VirusTotal, effectively circumventing most antivirus solutions. This success stems from using legitimately damaged files rather than traditional malicious code.

To protect against this threat, organizations should:
• Remove unexpected email attachments
• Consult network administrators about suspicious emails
• Avoid scanning unexpected QR codes
• Exercise caution with Microsoft login requests

This innovative attack method represents a significant evolution in phishing techniques, challenging existing security infrastructure and demanding increased vigilance from users.

Share This Article