More Fake DHL invoices delivering Remcos RAT via office XML files

An old favourite lure with this email with the subject of “DHL Shipping of Original invoice B/L dated 26/10/2018” pretending to come from DHL EXPRESS – < noreply@dhl.com >  with a malicious word doc attachment  delivers Remcos RAT The idea of Fake DHL invoices or delivery notes is nothing new. What is different about this campaign is the way the criminals are using non standard Office XML files with base 64 encoded sections  containing the macros instead of proper office ( word) docs. These still open in Microsoft Office and will run. They still open in Protected view mode, so Continue reading →