Microsoft’s cybersecurity team is investigating a dangerous and sophisticated scam involving Office, phishing methods via email, social engineering from an illegal call center, and malicious code via Excel spreadsheets. All these elements converge on an effective strategy to bypass security systems and hijack victims’ data with the help of ransomware.
The threat, identified as “BazaCall,” has been circulating since January. However, so far it has raised the alarm bells of Microsoft’s global network of security experts. It is a scam aimed at users of Windows and Office 365 computers.
It all starts with the arrival of an email saying that the free trial of a given software is coming to an end. The email also says that the company already has the payment details and will proceed to make a discount since the user has agreed to continue using the software.
We’re tracking an active BazaCall malware campaign leading to human-operated attacks and ransomware deployment. BazaCall campaigns use emails that lure recipients to call a number to cancel their supposed subscription to a certain service. pic.twitter.com/RS5wGSndhv
– Microsoft Security Intelligence (@MsftSecIntel) June 22, 2021
A very well thought out Office scam
Cybercriminals do not actually have the payment details of the victims, but they use this strategy to ensure the Office scam is successful. The email shows a phone number to, supposedly, unsubscribe the supposed subscription. When victims call the number, an operator send a link for them to download a file.
The Excel file should allow the user to cancel the service. However, when trying to open it, Microsoft Office throws a warning. When the user clicks “Enable content”, it runs a malicious macro that opens the door to Cobalt Strike installation, to steal data credentials, including the Active Directory (AD) database.
AD databases contain the identity and access credential information of an organization. Also, ultimately, victims of this scam can be infected with a ransomware that encrypts the contents of the computer and demands a ransom to recover the files.
Photo by Ga on Unsplash
Microsoft notes that since the email does not have any malicious attachments, it is difficult for software-based security systems to detect the Office scam. Basically it is the victim who ends up completing the cycle by phoning the attackers.
To avoid a scam and other threats it is necessary to have the operating system and the rest of the software updated, including the Office applications. In addition, having additional security solutions will help detect attacks in time. However, it is very important not to open suspicious emails and to be very careful when downloading any type of file.