A well-planned phishing scheme is going after industrial suppliers by posing as Boeing procurement officials This article explores phishing scheme going. . The attack uses a Word document with a weapon to carry out a complicated six-step kill chain.

The campaign is tracked as "NKFZ5966PURCHASE" and starts with a normal DOCX file. Even though it was very technically advanced, the operators had big problems with operational security (OPSEC). The attackers are lazy and use the same systems and settings over and over again. Even though they only use one file-sharing platform and static campaign tags, it's easy to see what they're doing.

Filemail has many payload URLs that stay there, so blocking the network is a top priority for cybersecurity. The attacks still show that the template was made in 2021, which means they are using a toolkit that is five years old.

They also used anti-forensic methods to confuse researchers, such as changing file timestamps to 2045 and mislabeling encryption keys. They didn't clean up the metadata in the bait documents, so there are still signs of "Christian Booc" and "John." The attackers use a Cobalt Strike beacon and avoid traditional antivirus software by using advanced methods.

They use an old but effective method called "aFChunk" to hide a 4MB RTF file inside the document itself. When scanning for harmful content, most email gateways don't look at the top-level structure of DOCX files.