The end-of-year holidays are a lucrative time for phishing attackers and spammers as they try to leverage the festive season to victimize online consumers. This season also puts pressure on the retail industry to build up their inventory to meet the seasonal demand. Netskope Threat Research Labs has been tracking multiple campaigns where phishing emails are crafted to target the retail industry. The email body observed in these campaigns is specifically crafted to lure the warehouse managers and other smaller firms who provide inventory support to larger retail businesses. Netskope Threat Protection detects these malicious MS Office file attachments as Trojan.Valyria.111 and the dropped payload as Gen:Variant.Graftor.421418.
Attack Vector
As mentioned earlier the attack vector arrives as an email with an attachment as shown in Figure 1.
Figure 1: Email example targeting specific businesses
The email contains a weaponized Microsoft Excel or Word document file with embedded macros. In a number of enterprises, email attachments are often automatically synced to cloud storage services using file collaboration settings in popular SaaS applications and third-party applications. Since the file names appear less suspicious, they are more likely to be viewed as coming from within the organization (and therefore trusted) and shared with others in the same user group thereby resulting in a CloudPhishing fanout effect.
The doughnut chart shown in Figure 2 depicts the top enterprise cloud applic