Now this is low. I was sitting here at my desk working away and a new email just came in…
“Hmmm”, I said to myself, I don’t know a Nicholas Wood and “holatours.com” doesn’t ring a bell. “Wait, something is amiss here. Could this be a phishing email wishing me a Happy Thanksgiving? That would be a new twist.” I said to myself.
To confirm my suspicion (and please DON’T try this at home), I clicked on the Word Doc attachment drop-down menu and selected “preview” to confirm my suspicion…
And this is what I saw…
So nice of Nicholas to provide such detailed instructions on how to view his Thanksgiving card, all I have to do is “Enable editing” and then “Enable content” to view his thoughtful and heart-felt holiday wishes.
This, folks, is an attempt to deliver malicious content through a Microsoft Word macro. An “Office macro” is a type of programming “language” that is built into the Microsoft Office applications like Word and Excel that can be used by hackers to install malware. Here’s the good news, macros SHOULD be disabled from running automatically by default. You will have to help the hacker deliver the payload by allowing the macro to run when the document is opened, hence the nice instructions in the body of the Word document to “Enable editing” and “Enable content”.
“That’s it”, I thought. “No question, this is a phishing attempt”
So here are the tell-tail signs to be on the lookout for…
- I don’t know the sender.
- The sender’s email domain is not familiar.
- The three-part sender’s email domain of “mail.holatours.com” is unusual.
- There is an unsolicited attachment.
- The attachment is a Microsoft Word document…which can contain malicious macros.
- Specific instructions inside the Word doc to “Enable editing” and “Enable content”.
One last item that I found interesting. While writing this post, I misspelled “holatours.com” as “nolatours.com”. Before I noticed the misspelling, I thought, “wait, is that the company I found on Trip Advisor that we booked for that fantastic walking food tour of the French Quarter the last time we vacationed in New Orleans?”
No, it’s a different company but man, that is uncanny. I can’t imagine this being anything but coincidence…or was it? An “h” sure looks like an “n” on first glance.
Final thought, be careful what you post on social media it can be used in exactly this manner to lend credibility to an attacker’s message and help lower your guard because it seems somehow familiar and relevant. Oh, and if you’re ever in the French Quarter, these guys and gals do a fantastic job. https://noculinarytours.com/
Let’s be safe out there