This example is an email containing the subject of ” You have received a Secure Doc message from Citi Secure Email Server ” pretending to come from Citi Group but actually coming from “noreply@securemailcenter-citigroup.com” which is a look-a-like, typo-squatted or other domain that can easily be misidentified, mistaken or confused with the genuine site, with a malicious word doc attachment is today’s latest spoof of a well-known company, bank or public authority delivering Trickbot banking Trojan. As in today’s earlier example of Trickbot targeting the UK, this also copies the system default PowerShell files to the user temp folder and runs it from … Continue reading →