Just days before Christmas we observed a surge in spammed emails that take take advantage of the widely celebrated event.
One of the recent spam attacks we saw contained a malicious document entitled “Christmas Offers”. The email has the same title listed as its email subject but doesn't contain any text in the body. Opening the attached document leads to a Microsoft Word file with macros enabled. Once the user enables the macros, a malicious file is downloaded into the system. We detect this malicious document as TROJ_MDLOAD.WPV.
Another spammed message we found attempts to pass itself off as a newsletter from 'Santa's Mailroom'. The email's structure contains salad words inserted into the HTML code in order to avoid being detected by traditional spam filters.
The links used in this attack varies from one sample to another. They use newly-registered domains and are able to bypass web filters. These hoax Santa newsletters will redirect users to more advertising or phishing websites.