I wish Abrams would take a survey on how many fell for this. Might be very enlightening. https://www.bleepingcomputer.com/ne...spam-containing-password-protected-word-docs/
Two users at my job today received these. Went though our spam and av filters. I uploaded them to VirusTotal this morning and they came back clean. Just uploaded again and still nothing. What gives? Both end users did not do anything with them thankfully.
The malware dropper is a packed and obfuscated .js file. Until it is unpacked and unobfuscated, cannot be detected by AV signatures. One reason AMS interface was built into Win 10. IF AV vendors use it, it will intercept Powershell, wscript, and jscript files as they decloak and allow AV vendors to scan them prior to execution.
I figured as much. That will be the day when that happens brother! We use Sophos at work and I submitted both files to them. They replied back today saying they now have signatures for them. However when tested it did not seem to do anything. Unless they are just blocking and detecting upon execution? Not sure
If this is the case, there should be something in the Sophos log files about the detection and auto quarantine.