Warn Your Staff about This Malicious Email

Be on guard — a fake security email is making the rounds. Disguised as an email from Microsoft, this phishing email is deceiving people into infecting their computers with a bot called Neutrino. This bot enables cybercriminals to take control of the infected machines. The hackers then use the machines for various malicious activities, such as stealing credentials and data. The bot runs in the background processes of the computer and has no obvious visual symptoms, so the victims are usually unaware of its presence.

To avoid having your computers infected with the Neutrino bot, you need to let employees know about the fake security email. Plus, there are other measures you can take to protect your business against this attack, such as educating employees about phishing emails and changing a security setting.

Let Employees Know about the Email

Warning your employees about the fake security email is an important step in preventing a Neutrino bot infection. This phishing email is from Benedict Brown of the Microsoft Security Office, a department that exists only in the hackers’ imagination. The email informs recipients that their bank accounts (and the payment cards associated with them) have been blocked due to “suspicious requests and data packages” originating from their computers. It then offers a possible reason for the suspicious activity — their computer might be infected with a virus.

The recipients are encouraged to download a report that contains more information about the suspicious activity as well as security tips that they can follow to “unblock” their bank accounts. To get this report, all they have to do is click a link that allegedly connects to an official server at Microsoft. However, if they do so, they end up downloading a Microsoft Word document from the cybercriminals’ server.

The downloaded document contains a malicious macro. If macros are enabled, the Neutrino bot code will be downloaded and installed. Once a computer is infected, it becomes part of a botnet, which is a large group of infected machines under the hackers’ control. Periodically, the Neutrino bot checks the hackers’ server for instructions. For example, the cybercriminals might tell the bots to grab credentials from web browser forms, capture keystrokes, or take screenshots of the victims’ computer screens. Alternatively, they might instruct the bots to carry out a distributed denial of service (DDoS) attack.

Educate Employees about Phishing Emails

Besides letting employees know about the fake security email, you should educate employees about the common elements found in phishing emails. For instance, the email spreading the Neutrino bot contains several telltale signs that it is a phishing scam:

  • Suspicious email address: Although the email is supposedly from Microsoft, the email address in the “From” field ends in “.kz”, which means it was sent from Kazakhstan.
  • Scare tactics: The email tries to scare the recipients into clicking a link by telling them their bank accounts have been blocked and their computers might be infected with a virus.
  • Grammatical errors: The message contains grammatical errors, such as “That is why I am contacting you in such a case.”

By teaching employees about the common elements, they will be more prepared to spot phishing emails in the future.

Make Sure Macros Stay Disabled

The Neutrino bot relies on people running the macro in the Word document. Therein lies another opportunity to prevent an infection.

By default, the macro security setting in Word 2007 and later versions is “Disable all macros with notification”. When this setting is selected and a document contains a macro, the macro is automatically disabled. However, users are notified of this action and given an option to enable it. You can stop this notification and option from appearing by changing the setting to “Disable all macros without notification”. That way, employees cannot inadvertently unleash the Neutrino bot or any other malicious code hidden in macros.

If your computers are running Word 2016 and your organization uses Group Policy, you have another way to prevent macros from running. You can take advantage of a macro blocking feature that Microsoft introduced in that version.

Prevention Is Paramount

It is hard to determine when computers are infected with the Neutrino bot because it is designed to run in the background. A few minor issues might pop up (e.g., a slow Internet connection at times), but there won’t be a glaring problem that points to an infection. For this reason, prevention is paramount. We can analyze your security systems and offer detailed recommendations on how to protect your business against this threat.