Malicious email with a resume attached

Lately there has been a push of phishing emails containing malicious resume’s.  Sometimes they are sent to people in human resources (HR), job placement personnel, hiring managers, etc., but there are times where the same emails have been sent to normal people not in the job hiring process.  In this instance, the email recipient didn’t pay attention to the warning signs and ended up being infected with ransomware.  We will go through the email and point out the warning signs that should have alerted the recipient to its malicious intent.

A lot of people know to ignore unsolicited emails with suspicious attachments, but is a resume’ considered a “suspicious” attachment?  It should be if it is sent from someone you don’t know, but yet people still open them.  Here are some screen shots of such a phishing email with some warning signs to look for.

Here is the email the recipient received:

The main warning sign is the use of a password.  There’s no reason someone would password protect their resume, especially if they were sending it to someone they thought would help get them a job.

When the recipient attempted to open the attachment, they were presented with a password prompt.

Again, having to enter a password for an attachment, especially one from someone you don't know and for a resume' is a clear warning sign something isn’t right.

After typing the password, the recipient was presented with the following.

There's no reason to enable macros in a resume', so yet another warning sign for the recipient.

The recipient enabled macros and ended up being infected with ransomware.  They were presented with the following screen.

It is recommended from everyone in the security industry, government agencies, etc., to NEVER pay the ransom.  It will possibly make you a bigger target in the future, there are times where the decrypt key doesn't work to unlock the files, etc.

The best defense against ransomware is to have good backups and of course be cautious about opening attachments or clicking links in unsolicited emails, especially emails with malicious warning signs.