New Phishing Attacks Emerge With Interesting Twists: What Should You Look For?

June 12, 2025

A novel phishing campaign has been discovered that uses corrupted Microsoft Word documents to bypass traditional security measures.

This attack, uncovered by the malware hunting company Any.Run, exploits Microsoft Word's recovery option by sending intentionally corrupted Word documents as email attachments. These emails appear to come from payroll and human resources departments and revolve around themes of employee benefits and bonuses.

When the user opens the attachment, Word detects that the file is corrupted and asks if they want to restore it. Once restored, the document displays a message asking the target to scan a QR code to obtain another document. Scanning the QR code directs the user to a phishing website posing as a Microsoft login page to steal login credentials.

The corrupted status of these documents allows them to bypass security software, as most security solutions fail to recognize the danger due to improper procedures for their file types. Almost none of the attachments used in this campaign have detections on VirusTotal, with only a few exceptions recognized by two vendors. This may be because no malicious code is attached to the documents, which only show a QR code.

Sources: https://www.bleepingcomputer.com/news/security/novel-phising-campaign-uses-corrupted-word-documents-to-evade-security/; https://controld.com/blog/phishing-statistics-industry-trends/ and https://www.sci-tech-today.com/stats/phishing-statistics/

Commentary

The source claims that the above phishing campaign is "novel". Perhaps some of the methods are new (versus novel), like the use of a QR code, but attaching corrupted Word documents and claiming that the documents have something to do with work benefits or bonuses that eventually direct a target to a spoofed website is common in the social engineering playbook.

The problem for everyone is that phishing is not showing signs of slowing down in any manner.  

Phishing attacks rose by 12 percent in 2024 due to more advanced methods and better-focused scams. About 1.2 percent of all emails are harmful, leading to around 3.4 billion phishing emails being sent daily.

Around 90 percent of data breaches include phishing, making it a key method by which cybercriminals attack organizations. Compressed archives (ZIP, RAR, 7z) are also frequently used – about 37 percent of phishing attachments are archives, and around 30 percent are document files (often containing macros or malware).

Microsoft is the most impersonated brand, with over 20 percent of phishing attacks pretending to be from that organization.

The final takeaway is to prevent being socially engineered by phishing, never select an attachment, link, or scan a QR code from someone you do not know or from an online message you are not expecting, even if it is from someone you do know. Additionally, know the signs of phishing.

Below is a checklist:

  • Unsolicited or unexpected messages that request or demand action or a response
  • Messages suggesting or threatening that bad consequences will occur if there is not a response
  • Threatening messages appearing to be from those in positions of power or authority and/or government agencies
  • Messages that create a sense of urgency by requesting or demanding an immediate response
  • Requests for personal identifiers, credentials, and/or financial information
  • Unsolicited or unexpected requests to wire or transfer money
  • Requests to transfer money to non-approved or unknown bank accounts or financial institutions
  • Unexpected requests to send gift cards, cash cards, or transfer crypto currency
  • Messages of offers that appear to be "too good to be true"
  • Messages from an unfamiliar sender
  • Unsolicited messages from a foreign sender asking you to act as an agent or perform acts on their behalf
  • Messages from a known or familiar sender that are sent from an unknown domain/address
  • Messages with unsolicited attachments or links
  • Unsolicited messages requesting employment with attachments or links
  • Requests or demands to override normal protocols, bypass procedures, or act outside the scope of given authority
  • Attachments or links with unfamiliar or suspicious file extensions
  • Messages with generic greetings
  • Word selection that appears foreign or unusual from the sender
  • Spelling and/or grammar errors
  • Impersonation of well-known companies or government agencies
  • Messages sent at unusual times from businesses or agencies
  • Impersonation of a coworker or acquaintance from an unknown domain/address
Finally, your opinion is important to us. Please complete the opinion survey:

Product

Articles

Are Your Gen Z Employees More Or Less Satisfied With Their Job? You Make The Call

A recent poll states that more than 15 percent of Gen Z employees are dissatisfied with their job. What say you? You make the call and join the conversation.

New Phishing Attacks Emerge With Interesting Twists: What Should You Look For?

A report claims a new phishing attack centers around employee benefits and bonuses. We take a look and provide tips and a checklist.

Severe Or Pervasive Conduct In The Healthcare Setting

A California nurse alleges sexual harassment against her supervisor. We examine what needs to be proven to show that unwelcome conduct is severe or pervasive.

Cloud Services Fraud: How Does This Embezzlement Scheme Work?

A Seattle tech worker buys cloud storage and resells it back to his employer. He is found guilty of fraud. We dive into the facts of his crime and break down how the fraud works.

Does Micromanagement Decrease Your Love For Your Job? You Make The Call

A survey shows employee displeasure with strict reporting requirements. You make the call and join the conversation.