The emails - some of which include the recipient's full name and the company they work for in the letter body - inform recipients that they must download a fix to address a zero-day vulnerability affecting Outlook, according to one of the messages posted on the SANS site.
The email, which contains some misspellings, tells the user that if exploited, the flaw can "take full control of the vulnerable computer if the exploitation process is succesfull (sic)." It attempts to dupe users into visiting a site that appears like a legitimate Microsoft page.
A Microsoft spokesman told SCMagazine.com today that users should verify a site's certificate to ensure they are at a legitimate site.
"Spoofing attacks are commonly used in conjunction with phishing," the spokesman said.
Several anti-virus companies identified the malicious emails as containing a trojan downloader.
Earlier this month, researchers warned of an email campaign issuing bogus Microsoft security advisories, which contained a malicious executable that installed a browser add-on to the victim's PC.
.png&h=140&w=231&c=1&s=0)
_(5).jpg&h=140&w=231&c=1&s=0)
.png&h=140&w=231&c=1&s=0)
.png&w=100&c=1&s=0)
Digital NSW 2025 Showcase
_(1).jpg&h=140&w=231&c=1&s=0)
