This sneaky phishing attack is a new take on a dirty old trick

At this time of year, an email about your annual benefits or bonus may not seem unusual. So you open the attached Word document, only for the app report that the file is corrupted but can be recovered. If you choose to recover the content, much less scan the QR code that appears, boom—you’ve fallen prey to a phishing attack. 

As reported by BleepingComputer, users tricked by this scheme are routed to a fake Microsoft login page that steals credential info if it’s entered. And because the sketchy content isn’t immediately scannable within the document, this ploy can evade antivirus software. The phishing attack may not be anything new, but this method of deployment is.

Fortunately, the primary solution to protect yourself is the same as ever—be wary about opening email attachments. Don’t open files sent by unknown or unexpected senders and even consider if a trusted contact has real cause to pass them along.

You can take other steps for safety, too, like being cautious of links in messages unless you requested the email. You’re better off opening a browser tab, navigating to the official website for the service, and then entering your credentials.

These two images show how the prompt for recovering a corrupted Word file looks, as well as the resulting malicious QR code that appears. (Source: BleepingComputer.com)

Switching to passkeys as your way of logging into your account also reduces the risk of falling for a phishing scheme. Unlike passwords, passkeys are tied to the device they were created on (or service, if you save them to a password manager). The decryption process involves communication between the device and the website, so if someone tries to use a direct copy of a passkey, the attempt will fail.

If passkeys aren’t an option, enabling two-factor authentication provides additional login protection. An attacker can’t use just your password to get into your account—they’ll need access to your 2FA codes or hardware token, too. (Which sometimes they do try to steal too, but it is more effort).

Finally, always remember that phishing attacks require your participation. Take a little extra time to think through what’s being asked of you. For something like this phony Word doc, would your company’s HR department really make you scan a QR code in a document to get benefits or bonus information? The answer should be no.

(If the answer is yes, please put your company’s IT department in touch with the HR department).