Hackers Use Hovering to Deliver Latest Malware Attack


Thought Leadership

Hackers Use Hovering to Deliver Latest Malware Attack

Dena Bauckman

Malware is most commonly delivered in an email attachment, and it’s common for the attachment to be a Microsoft Office document. What is uncommon is a new attack where malware is delivered when the user hovers their mouse over a link – without clicking – in a PowerPoint slideshow.
In this latest type of attack, the user is sent an email with a PowerPoint slideshow attached that has a name such as order.ppsx or invoice.ppsx and a subject of “Purchase Order #12809” or “Confirmation.” When the user clicks on the attachment, they get a screen with a hyperlink that says “Loading please wait.” If the user simply hovers their mouse over the link, PowerShell code is executed. At this point, most versions of Microsoft Office will display a security warning that allows the user to continue by clicking “Enable.” If the user clicks “Enable,” malware is downloaded and executed on the user’s machine.

Despite the fact that the attack requires the user to click on an attachment from a potentially unknown sender and click “Enable” on the Microsoft security warning, we all know there are users that will click.  Users often don’t think of Microsoft Office files, and especially PowerPoint files, as being dangerous. Unfortunately, they also have become desensitized to the Microsoft security warnings and typically click “Enable” without a second thought. But the real issue for users in this attack is that simply hovering over the link is what launches the attack. Users have been trained to hover over hyperlinks to determine if the underlying link looks malicious. Since the user did not click on the link, they won’t associate the security warning with their action of hovering over the link and are more likely to click “Enable” to get the PowerPoint slideshow to start.
Training your users on email threats and how to protect themselves is critical, but as this attack shows, attackers are continuously finding new ways to trick the user. In addition to user training, it is critical to make sure you have a threat protection solution that can identify the latest threats and prevent them from ever getting to your users.
ZixProtect uses highly accurate multi-layer filtering to identify unwanted and malicious emails.  Analysis is done by a series of filters that look for the increasingly complicated attacks. Filtering starts with basic IP and URL filtering and then move through more complicated phrase and pattern filtering that identify content in email designed to trick a user into clicking. Emails are then subjected to malware filtering that examines attachments to detect if there is dangerous malware or ransomware hidden within. To keep on top of the changing threat landscape, our live threat analysts work around the clock reviewing live email traffic and updating the filters to stop even the latest of threats.
To learn more about ZixProtect, register for our free, 30-day trial or visit the product web page.