A phishing campaign of millions of messages has been aimed at organisations in the UK and US. Discovered by Proofpoint, the campaign employs bait via an authentic voice message containing an LNK attachment—an unusual method of delivering malware.
The technique was used in a relatively restricted manner. Only one unique file was detected and errors in the scripting found a general failure to perform on target systems.
Some versions of mail client did not show the attachment and replaced it with a warning message that the file was possibly unsafe. Organisations that follow email security best practices normally treat LNK files the same as executables (EXE) and strip them from messages prior to delivery.
This campaign showed that the LNK format stands up to its reputation of a potential effective technique. As a whole, it shows that threat actors are continuing to innovate and experiment with new delivery and masking techniques to stay ahead of adjusting defences. Imagine how easy it will be for cyberattacks to take place either via apps with the ability to open web links, or inside enterprise communication services such as Slack, Yammer and HipChat.