Threat Actors Innovate to Exploit COVID-19, Delivering OpenOffice .ODP Attachments on a Shoestring Budget
By Tonia Dudley, Cofense Security Solutions
Have you ever paid an invoice delivered in PowerPoint file, similar to Figure 1 below? No? Me neither. An accounts reconciliation aging report? Don’t those typically get sent as a .PDF file so your auditor can ensure you haven’t “adjusted” the report?
Figure 1: Phishing email with fake invoice delivered via an .ODP file, appearing as a .PPT file
We recently uncovered a new, previously unseen tactic used by threat actors eager to capitalize on organizations’ concerns around COVID-19. The threat actors use an OpenOffice file format as an .ODP file, recognized by Microsoft as .PPT file, thus leading unsuspecting users to easily recognize the PowerPoint icon.
But let’s go back to the emails that included this file type. Would you receive an email to process an invoice that used a PowerPoint file for this transaction? It’s no wonder a well-trained user was able to spot this email as suspicious and reported the message to the Cofense Phishing Defense Center.
As we continue to monitor suspicious emails related to COVID-19, both seen in the wild and reported by our customers, we noticed a few interesting tactics used in the email (Figure 2 below) that leverages the OpenOffice format to trick unsuspecting employees into opening the document. The email message is fairly basic and contains some simple phishing indicators. The salutation is generic and an incomplete sentence – “Good morning.” Is this how you punctuate this salutation? Speaking of punctuation – they also used a period after “signing” their name “Donna.” at the end of the email.
When digging into the header information, it was, however, surprising that this email was flagged as “Received-SPF: Fail”. Organizations have spent a great deal of time setting up and configuring DMARC, DKIM and SPF, and the message is delivered to the inbox? We’ll give this organization the benefit of doubt and assume they’re still finetuning and configuring that control.
Yet the most interesting part of this phishing email is the attachment itself – we had never seen an .ODP file type in a phishing email before.
Figure 2: Phishing email delivering an .ODP file masquerading as a COVID-19 preparation guide
In an effort to ensure our customers can detect this new tactic, we wrote a YARA rule to look for any OpenOffice file type. This new search took us back to late January to find the use of the .ODP filetype. It also bubbled up another OpenOffice file type of .ODT, displaying the MS Word icon to the user. In each of these files, the use case for the threat actor was to merely deliver the link to direct to the malicious website.
HOW COFENSE CAN HELP
Yara Rule: PM_LABS_OpenOffice_ImpressFiles
For more information and resources about COVID-19 related phish and malware, visit our Infocenter: https://cofense.com/solutions/topic/coronavirus-infocenter/
Every day, the Cofense Phishing Defense Center analyzes phishing emails that bypassed email gateways. 100% of the threats found by the Cofense PDC were identified by the end user. 0% were stopped by technology.
Easily consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense Intelligence.
Thanks to our unique perspective, no one knows more about REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review.
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.