--On Sunday, July 11, 2021 1:20 PM -0400 Jared Hall <ja...@jaredsec.com>
wrote:
The Word document (without macros) loads an external encrypted Excel file
It has macros. It tricks the user into enabling and running them by telling
him to enable the document for editing and enabling "content" (ie. macros).
Hiding macros from the user in this way (calling them "content") is a
terrible piece of UI.
Both articles conclude with the statement "We suggest it is safe to
enable them (macros) only when the document received is from a trusted
source". I really don't understand that comment since the entire unique
nature of the exploit is to disable the macro warnings entirely.
A forged From line means the average Joe will assume the source is trusted.
Another nice analysis, I think with better details, showing how this evades
the usual scanners:
<https://www.hornetsecurity.com/en/threat-research/zloader-email-campaign-using-mhtml-to-download-and-decrypt-xls/>
The Word document is assembled from MIME fragments so there's no extension
to block.
