Fake HR emails with virus

Office for Mere Mortals
Your beginners guide to the secrets of Microsoft Office
Invalid email address
Tips and help for Word, Excel, PowerPoint and Outlook from Microsoft Office experts.  Give it a try. You can unsubscribe at any time.  Office for Mere Mortals has been running for over 20 years, we've never, ever revealed or sold subscriber details.  Privacy policy

A new wave of fake job applications and responses isn’t caught by Outlook.

Spammers aren’t completely stupid, they release a new type of infected email that isn’t caught by the Outlook Junk Email filter even when it’s set to ‘High’ ( Actions | Junk E-mail | Junk E-mail Options | Options ).

They also to wait for a ‘new’ junk email filter from Microsoft to start sending out their latest bulk messages – this gives their new creations at least a month (probably more) of unfiltered access to Outlook users around the world.

The latest examples are messages supposedly from various real companies either offering you a job application or declining your application.

786 Outlook   hr@ infected message sample - Fake HR emails with virus


All of these messages are rigged to come from fake addresses starting with [email protected] – a clever choice because that’s a common email prefix for Human Resources departments.

The file attachment is a ZIP file which isn’t normally blocked by Outlook. Inside the ZIP file is an .exe file that any prudent computer user should assume is some nasty infection. The last thing you should do is open the ZIP file, let alone run the .exe file inside.

All the links in the message are genuine links to the real company web site (in our example thecoca-colacompany.com ) however the message did NOT come from that company. There’s no point in replying to the message or complaining to the company that’s been spoofed – they are as much a victim as message receivers.

What to do?

Eventually Microsoft will update their Junk E-mail Filter to deal with these message but in the meantime you’re on your own.

For many people the best option is simply the delete key – just press that to get rid of the nuisance messages.

However the manual option might not suit you or you’re responsible for many copies of Outlook and need a way to automatically handle this nuisance.

Make a Rule

Making a rule to deal with unwanted email automatically is a good idea, if only as a temporary measure until Microsoft catches up. Some care is required to ensure that you trap only the unwanted messages and not any legitimate messages.

As always, we provide this rule not only to help with the current spam but as an example you can adapt to your own needs.

This particular group of messages makes that difficult since the company’s are real, [email protected] is a common email prefix and it’s also common that HR departments send attachments to messages. Different companies are spoofed so checking for the names of particular company’s won’t work.

Here’s what we came up with … create a new rule from Tools | Rules and Alerts and make a new rule for messages when they arrive. You can work through the wizard to set what to look for in messages and, importantly in this case, exceptions to the rule.

Firstly, set the conditions to check:

  • Look for the text ‘ [email protected] ‘ in the senders address

  • Only messages which have attachments

  • Messages that have ‘ .zip ‘ somewhere in the message header.

786 Outlook   hr@ rule conditions - Fake HR emails with virus


Outlook doesn’t have a direct way to test the file name of email attachments. You can try testing for a string in the message header but it doesn’t always work. It does work with these particular spams that we’ve tested. There is a small risk that messages could be trapped accidently since the ‘.zip’ test is applied to the whole message header not just the email attachment name.

We suggest moving the messages to the Junk E-mail folder which is where Microsoft’s filter should put them. A message in the Junk E-mail folder can be searched for and retrieved if detected in error.


That rule might be enough, especially if you don’t usually get messages from human resource departments. But if you do deal with HR then there’s a greater risk that the above rule will move messages you want to see.

To avoid that, add an exception to the general email rule. This will stop certain messages from being moved to the Junk Email filter according to the main rule.

The spam messages have one shortcoming – they don’t mention you by name. The email addresses are farmed from various sources and usually don’t include names. Even if a name is in the TO: field it usually isn’t included in the message body.

If you make an exception for any messages that have your first or last names in the message body it will help separate messages truly for you from broadcast spam.

The third step in the wizard is about exceptions:

  • Except if the body contains specific words.

786 Outlook   hr@ rule exceptions - Fake HR emails with virus


The specific words to use are your first and last names separately. If you put your full name in as a single string you’d not exempt messages that are addressed such as:

  • Hello Fred

  • Dear Mr Dagg

Another possible exception is to check for any company you normally deal with. You can do this by adding their name or domain name to the ‘body contains’ list together with your own name.

Or check for the domain name in the incoming email address. Checking for the domain name is more reliable than a specific email address which could change.

786 Outlook   hr@ rule exception by domain name - Fake HR emails with virus


You can use one or both of these exceptions as suits your situation.

subs profile e1563205311409 - Fake HR emails with virus
Latest news & secrets of Microsoft Office

Microsoft Office experts give you tips and help for Word, Excel, PowerPoint and Outlook.

Give it a try. You can unsubscribe at any time.  Office Watch has been running for over 20 years, we've never, ever revealed or sold subscriber details.  Privacy policy
Invalid email address