CEO Phishing Through a Word Macro

The Network: A prominent hotel chain with several thousand locations worldwide. This problem was at a specific location on the U.S. East Coast.

The Expectation: Prevention defenses are working (AntiVirus, Next Gen Firewall) and monitoring is in place to catch what slips thru the prevention layer.

The Catch: EventTracker Intrusion Detection Service (ETIDS) identified a possible infection in an email attachment going to the on-premise Microsoft Exchange server.

The Find: As many as 4 dozen users were targeted with a phishing email which contained a malicious attachment (a Word document called resignation_letter.doc). An auto enabled macro was embedded in the Word document. Exchange correctly quarantined the emails. However, one user chose to release the email and also double clicked the attachment. The Webroot AntiVirus package did not catch the infection. The word document was uploaded to VirusTotal for analysis where 29 of 53 packages identified the infection as a Trojan.

The Fix: Quarantine the infected laptop. Then review email logs and browser logs to determine possible other infections. And also, re-image the infected laptop before returning to service.

The Lesson: The phishing attack vector continues to be prominent.