Malicious copier or scan documents in email

Be very skeptical when you receive emails with attachments coming from your scanner, copier, printer, etc.  Hackers can even make these phishing attempts appear authentic by spoofing the email headers to make it look like it is coming from your email domain (i.e. noreply@yourcompany[.]com).

You should always be leery of receiving random emails, but sometimes they look legitimate and are things we receive on a regular basis, which causes us to lower our guard.  One such instance is when you receive an email with an attachment saying it came from your copier such as "copier@yourcompanyemail.com".  At first glance, it looks legitimate.  You scan documents from your copier/scanner quite often and email them to yourself.  Maybe you scanned and sent one the day before and when this email came in you were thinking maybe it was stuck in the copier and just came over or it was a duplicate.  If you didn't scan a document to send to yourself via email in the past few minutes, I would not open the attachment.  If for some reason there was a delay in the time the document went from your copier/scanner to your email, I would rescan the document to be sure.  If you scanned something and it never showed up, but then you received an email from the copier hours later, I would delete the email and go back to the scanner to resend the document.  There have been malicious attachments being sent to people pretending to come from their scanner/copier.  I've seen many of them at work.  Below are a few screen shots/examples.

The phishing attempt pictured above was very convincing, because it was spoofed to make it look like it originated on the receiver’s email domain.  For example, if the person’s email was John.Doe@mycompany.com, the email was from “noreply@mycompany.com”.  A closer look at the headers revealed that wasn’t the case, but unless someone knew to look at the headers they wouldn’t have realized that. 

Here are some tips you can follow if you happened to receive the email above:

  • If you work for a business, report it to your IT Security staff immediately!
  • The password needed to open the document is the first sign something isn’t right.  I’ve never done this myself, but even if I did password protect a document I scanned and emailed to myself, I’m sure the scanner wouldn’t include the password in the email.  Even if you did password protect the file, or your company does, and the scanner does include the password, does the password in the email match what you or your company put into the scanner?  I would assume the answer is no.  I would say even if it is, I would ask a lot of questions from people (IT Security, HR, help desk, etc.) before I even thought about opening it.
  • The document came from a Sharp MX-2600N.  If your office doesn’t have a scanner like that, it would be another warning sign.  Even if your office did have that model of scanner, there are enough other warning signs to indicate this email isn’t to be trusted.
  • Scanners do not usually include “Reply to:” in the body of the email…or at least in my experiences that have been the case.  Not sure scanners usually include the “Resolution” either.

The email with the attachment.  It would be from your email domain such as yourname@yourcompany.com.

When opening the attachment, it asks you to open an additional docm document

Opening the docm document asks you to enable macros, which we know is a warning sign

The best tip in all these case is if you didn’t scan and email a document to yourself in the past few minutes, I would delete the email and ignore it.  If you did scan and email yourself a document recently, see if it matches past emails sent to you from the scanner by searching your email for previous such instances.  If anything looks out of place, such as you don't remember seeing it come from "noreply" or you never entered a password or the scanner doesn't normally include a password, delete it and go back to the scanner and do the process again.  It's better to be safe than sorry, especially if it is only a few minutes out of your day.