What is the threat?
A recent phishing campaign targeting businesses using legal threats has been detected in which businesses are receiving emails claiming to be from law firms notifying them that they are being sued. The emails have a Microsoft word document attached to them that contains a trojan which installs additional malware on the computer once clicked. The phishing emails typically inform the recipient of the email that he/she is being sued and instructs them to open the attached file and respond as soon as possible. The email claims that the recipient is being charged by the city and they have 7 days to respond before an action is taken against them.
Why is this noteworthy?
Malicious actors are resorting to legal threats to induce fear in targets to make money. Phishing kit templates are being sold on the dark web as well as underground. The malicious actors can customize the wording of the email as well as choose from 5 different booby-trapped Microsoft word files to distribute the malware using a trojan. Even 10 days after the scam started, very few anti-virus products were able to detect the files being used in these phishing emails as malicious. The law firm domain “wpslaw.com“ that is being spoofed in this scam redirects to the actual website of RWC LLC, which is a legitimate Connecticut-based firm, thus adding a layer of authenticity to the email.
What is the exposure or risk?
The malicious actors use the Microsoft word files attached in the email to install any malware of their choice on to the victim’s device. Once the attachment is clicked, malware will be downloaded on the host. The trojan detected in the email has previously also been associated with ransomware. System compromises and data leakage are the main risks associated with this scam campaign.
What are the recommendations?
SkOUT recommends to always verify the authenticity of the sender by contacting the organization it claims to be from through its address or telephone number before interacting with or responding to any email. If you are not expecting correspondence from that sender, delete the email without opening it. Do not click on any links or attachments in the email. Instead, type the URLs manually into your browser or use previously created bookmarks to access any websites or pages referenced in the email links.
For more information, please visit the following link:
For detailed instructions on handling Phishing Emails, please visit the following links:
If you have any questions, please contact our Security Operations Center.