Analysis by: Maela Angeles

We have recently sourced spam emails with .doc attachments related to Thanksgiving. A message with a subject line related to the holiday comes from a rather unusual email address format, which is a telltale sign of malicious intent.

Sender line on Windows Live Mail: name@somedomain.netname@somedomain.org

Sender line on Mozilla Thunderbird: 'name@somedomain.netname'@somedomain.org>

The below images are just some examples of the unusual formatting when viewed via email clients:

As mentioned, this spam campaign uses Word document attachment and is already detected by Trend Micro as Trojan.W97M.POWLOAD.NSFGAICM.

According to some researchers, the campaign could be related to Emotet. Based on Smart Protection Network feedback, recent top Emotet attachment filenames include Untitled-11212018-2509077.doc, Greeting-Card.doc, greeting-card.doc, Thanksgiving-Day-wishes.doc, and Greeting-Card-2018.doc.

Trend Micro customers are protected from this email threat. Users are advised to always be mindful of clicking attachments on emails, especially if they come from unknown senders, regardless of how enticing or curious the subject line may be.

 SPAM BLOCKING DATE / TIME: 19 November 2018 GMT-8
 TMASE
  • TMASE Engine: 8.0
  • TMASE Pattern: 24234