A new type of email phishing campaign is easily passing through firewalls and spam filters by avoiding the usual links to malicious websites and attachments that install malware.
These messages describe the expiration of a trial period, after which you’ll automatically be signed up for a subscription with monthly payment. They instruct you to call a phone number to cancel the automatic subscription. Pretty motivating isn’t it? Who wants a monthly bill they didn’t authorize?
This campaign uses BazaCall malware to infect computers from a subsequent download of an Excel Spreadsheet with an embedded macro (a program that can run outside Excel). When the macro runs, it downloads & installs malware.
Microsoft Security Intelligence identified this threat in June 2021 (https://twitter.com/MsftSecIntel/status/1407470790333722628).
Here’s what these email messages tend to look like. Notice there are no links or attachments, just instructions to call a phone number.
By calling the phone number, you would connect with a live person who would instruct you to go to a website that appears real, then to download & open an Excel Spreadsheet. Once opened, you would be challenged by the following and the person would instruct you to click “Enable Content”.
That’s when the Excel macro would run & install the malware.
So, if you receive an email like this, do NOT…
- Click on any links in the message
- Open any attachments
- Call any phone numbers in the message
It’s best to delete the message, but if you’re still not sure you can seek “human verification”. Look up the company’s phone number online or in your records. Call the known good number and let them know you received such an email and request they review your account.
Note that you should call a legitimate number for a legitimate company. More sophisticated campaigns might even create fictitious company websites that list the same number in your email message. If you don’t have a relationship with the company, then delete the message and move on.
If you’ve received an email message you’re not sure about, contact our team, and we’ll let you know if it’s malicious.
Your technology Partner,
The LeeShanok Team
Phoenix: 602-277-5757 | Tucson 520-888-9122 | firstname.lastname@example.org