Does it feel like you’re getting an email update from everyone you’ve ever done business with about how their company is handling COVID-19? A spike in corporate email messages meant to keep customers informed has provided a valuable opening for bad actors to exploit as they mount new phishing attacks. 

The United States Secret Service recently released an alert detailing how cybercriminals are imitating corporate email. These poison pen letters aim to encourage that company’s clients to open infected attachments or click links that take them to faux-official webpages in order to harvest credentials, install keyloggers, and lockdown systems with malware.

The noxious attachment in question is often disguised as an MS Office or WordPad file, as hackers aim to take advantage of a potential weak point in MS Office. CSO reports that these attacks are designed to exploit the ancient Microsoft Office memory corruption vulnerability that was patched in 2017 but still involved in more than 600 incidents in 2019. 

How can your company avoid becoming the next victim?   

Keeping your users and systems up to date is the key to avoiding cleverly disguised phishing attacks, and an essential defense against malicious intrusion into your systems and data.