Skip to content

RAT in Word document pretending to be Norton security email

Here’s another example of why older .DOC Word documents should be avoided. This time it’s a fake Norton LifeLock email and hacked document.

The Word .doc document has a fake login dialog .

Source: Unit 42

The document executes a known remote access tool NetSupport Manager.  That tool has legitimate uses but has been used by hackers for the last few years.

There’s a fake login dialog with a simple, one letter, password (probably given in the email).

The big mistake is to Enable Macros and especially on a .doc Word file.

 

It’s very frustrating that many outlets follow the Microsoft party line by talking about ‘Word documents’ without making a distinction between older, less safe, .doc files and the modern .docx/.docm formats.

.docx Word files can’t run macros so even any trickery to fool people won’t work because there’s no code, malicious or otherwise.

Most of the almost weekly reports of infected Word documents involve older .doc files, though you have to read the details very carefully to know that.

Microsoft, for reasons known only to itself, doesn’t mention the .doc / .docx difference even though macro protection was a big reason why the change was made in the first place.

See Unit 42 for a detailed analysis of this latest scam.

Oblique RAT documents try to infect computers

Year of the Rat in Microsoft Office

Office 365 hack copies your emails without you realizing

Online Video hack now ‘in the wild; and Microsoft won’t do anything

Office 365 hosting an increasing target for hackers

About this author

Office-Watch.com

Office Watch is the independent source of Microsoft Office news, tips and help since 1996. Don't miss our famous free newsletter.