This example is an email containing the subject of “New fax message” coming from “noreply@confidentialfax.com ” . For a change the Trickbot criminals are not spoofing or typo-squatting any well known brand, company or Government department. Instead they are using a generic domain that looks realistic & believable. It looks like these criminals have added additional anti-analysis and anti-sandbox / Anti-VM protections to both the macro enabled word doc & the payload. Probably by adding a list of blocked IP addresses to the malware to stop known researchers & sandboxes running the malware. They have also added the recipients email address into the … Continue reading →