Protect against wave of malware that poses as an unassuming invoice

Most attacks your users fall for involve some form of executable file or macro that needs to be run.

But there’s a current attack that’s posing as a harmless invoice – and users don’t even need to click on the link.

Easily enabled … and preventable

The attack vector is Microsoft’s PowerPoint, sent in an email that’s usually titled “RE:Purchase orders #69812” or “Fwd:Confirmation.”

The name of the PowerPoint file itself is “order&prsn.ppsx”, “order.ppsx” or “invoice.ppsx.”

The file itself isn’t suspicious, with .ppsx the file extension for presentation mode of PowerPoint’s .pptx files, which open in editing mode.

However, these files include a slide that says “Loading…Please wait.”

When users hover over the hyperlink to investigate, the attack is triggered, running a malicious code that uses PowerShell.

From there, it attempts to contact the hacker’s site to download a file.

Luckily, the attack can be mitigated if the user has Microsoft Office’s Protected View security feature enabled.

Protected View is a default setting that comes with every Office product, but some IT departments and users have chosen to disable it.

Windows Defender and Office 365 Advanced Threat Protection both block the attack as well.

But there’s no accounting for users who simply ignore the security advisory alert and enable the attack themselves with a single click.

Here’s what you can do: Circulate details of this attack to your users who handle invoices daily, and make sure Protect View is enabled on each of their machines.

Also make them aware that they shouldn’t take security alerts lightly, and when in doubt, contact IT.