Upon opening the document, a fake message that “Word hasn’t been activated” is displayed to victims who are prompted to enable the content with a yellow security warning. Once they do, nothing appears to happen. However, what users don’t see is the malicious macro code that will execute once they click on the button.
Criminals are known to capitalize on newsworthy events for scams and other social engineering purposes. In this particular case, Emotet authors are supposedly offering Snowden’s memoir as a Word attachment. We collected emails from our spam honeypot in English, Italian, Spanish, German and French claiming to contain a copy of Snowden’s book in Word form.
This week, Emotet is trying a different tactic, incorporating the news about NSA whistleblower Edward Snowden’s new book Permanent Record as a lure. The memoir, which is already on Amazon’s bestseller list, has been the subject of intense debates. In addition, the US government is also suing Snowden for violating non-disclosure agreements and publishing without prior approval.
To kick off its spam campaign last week, Emotet resumed spear phishing tactics it adopted in late spring 2019, hijacking old email threads with personalized subject lines and appearing as old invoices.
Exactly one week ago, Emotet, one of the most dangerous threats to organizations in the last year, resumed its malicious spam campaigns after several months of inactivity. Based on our telemetry, we can see that the botnet started becoming chatty with its command and control servers (C2), about a week or so before the spam came through.