Malicious invoice hits user inboxes launches attack with link hover

Most attacks your users fall for involve some form of executable file or macro that needs to be run.

But there’s a current attack that’s taking advantage of an opt-out security feature disguised as a common invoice, and users don’t even need to click on the link it supplies.

Easily enabled … and preventable

The attack vector is Microsoft’s PowerPoint, sent in an email that’s usually titled “RE:Purchase orders #69812” or “Fwd:Confirmation.”

The name of the PowerPoint file itself is “order&prsn.ppsx”, “order.ppsx”, or “invoice.ppsx.”

The file itself isn’t suspicious, with .ppsx just the presentation mode of PowerPoint’s .pptx files, which open in editing mode.

However, these files include a slide that says “Loading…Please wait.”

When users hover over the hyperlink to investigate it, the attack is triggered, running a malicious code that uses PowerShell.

From there, it attempts to contact another the hacker’s online source in order to download another file.

However, the attack can be mitigated if the user has Microsoft Office’s Protected View security feature enabled.

Protected View is a default setting that comes with every Office product, but some IT departments and users have chosen to disable it.

Furthermore, Windows Defender and Office 365 Advanced Threat Protection both block the attack.

But there’s no accounting for users who simply ignore the security advisory alert and enable the attack themselves with a single click.

Circulate details of this attack to your users that handle invoices daily, and make sure Protect View is enabled on each of their machines.

Also make them aware that they shouldn’t take security alerts lightly, and when in doubt, contact IT.