Image Source: Trellix
In these malware campaigns, threat actors impersonate Microsoft, SecureFilePro (a secure client file exchange for tax preparers and their clients), and a purported “Bookings Manager.” The messages display subject lines containing keywords, such as Microsoft 365 Business basic invoice, file upload notification, booking notice, and accounting bookings. They contain a link or ZIP attachment that leads to a JavaScript file. If executed, it will run a PowerShell script to install XWorm. Recommendations- Exercise caution with unexpected or unsolicited communications.
- Confirm requests from senders using contact information obtained from verified and official sources before taking any action, such as clicking links or opening attachments.
- Navigate directly to official and verified websites by typing the legitimate URL into the browser rather than clicking on links in messages.
- Keep systems and browsers up to date.
- Report phishing emails and other malicious cyber activity to the NJCCIC and the FBI's IC3.
