Damaged Word Documents Used to Bypass Security

Cybersecurity experts have identified a new phishing campaign that exploits the file recovery feature in Microsoft Word. Attackers are sending emails with intentionally damaged Word documents attached, allowing them to bypass security software since the files appear corrupted but can still be recovered using Word’s built-in tools.

How the Attack Works

Researchers at Any.Run report that these damaged documents and emails are disguised as messages from HR or payroll departments. The attachments supposedly relate to payments or bonuses owed to the recipient. When the victim opens the document, Word detects that the file is damaged, displays a message stating “unreadable content was found,” and then offers to recover the file.

The phishing documents are deliberately damaged in a way that makes them easy to recover. Once opened, the victim sees a branded message prompting them to scan a QR code to download the document. If the user scans the QR code, they are redirected to a phishing website that mimics Microsoft’s site and attempts to steal their login credentials.

Why This Tactic Is Effective

Experts note that intentionally damaging documents is a new tactic that helps attackers evade detection. “Although these files work in the operating system, they are invisible to most security solutions because the usual procedures for checking such file types are not applied,” the researchers explain. “The files were uploaded to VirusTotal, but all antivirus solutions reported them as clean or ‘Item Not Found’ because they could not properly analyze the file.”

How to Protect Yourself

Experts remind users that following basic security rules is enough to protect against most phishing attempts. For example, if you receive an email from an unknown sender—especially if it contains attachments—do not open the attachments or click on suspicious links.