We use the olevbmacro detection added to SA. I would guess that's blocking the payload.I would guess that's blocking the payload.
On Sun, Jul 11, 2021, 15:00 Kenneth Porter <sh...@sewingwitch.com> wrote: > --On Sunday, July 11, 2021 1:20 PM -0400 Jared Hall <ja...@jaredsec.com> > wrote: > > > The Word document (without macros) loads an external encrypted Excel file > > It has macros. It tricks the user into enabling and running them by > telling > him to enable the document for editing and enabling "content" (ie. > macros). > Hiding macros from the user in this way (calling them "content") is a > terrible piece of UI. > > > Both articles conclude with the statement "We suggest it is safe to > > enable them (macros) only when the document received is from a trusted > > source". I really don't understand that comment since the entire unique > > nature of the exploit is to disable the macro warnings entirely. > > A forged From line means the average Joe will assume the source is trusted. > > Another nice analysis, I think with better details, showing how this > evades > the usual scanners: > > < > https://www.hornetsecurity.com/en/threat-research/zloader-email-campaign-using-mhtml-to-download-and-decrypt-xls/ > > > > The Word document is assembled from MIME fragments so there's no extension > to block. > >