Are you hiring?  Should you worry about clicking on an attachment of a job candidate because it might contain a virus or other type of malware?

Yes, you should.

First reported by Barracuda in a blog post about six weeks ago it appears criminals are expanding their efforts to use the growth of your company against you.  They send attractive resumes as bait for companies looking for great job candidates.

The threat is called an advanced persistent threat (“APT”).  According to Wikipedia, it is “a set of stealthy and continuous computer hacking processes, often orchestrated by a person or persons targeting a specific entity.  An APT usually targets either private organizations, states or both for business or political motives.”


In their blog post, Barracuda shared that one of their customers received five resumes that contained an Advanced Persistent Threat (APT) in late 2016.  It only takes one APT to compromise your credibility, bring down your entire network, or even steal billions of dollars.

The scary thing is the files containing the malicious macro APT were .doc, typically trusted Microsoft Word files that are common for resumes.

Intronis reported one of their partners had a client’s HR manager opened a resume that he believed to be from a prospective job seeker.  The document opened up blank.  Shortly thereafter, his computer was affected by a CryptoLocker variant that encrypted his hard drive contents.  Fortunately, they were able to restore all documents and files from backup, but they had to complete a full system rebuild.

What Happens

The Barracuda example is quite fascinating, if you are not the victim.  They explain it in simple terms below:

Upon detonating the file, the macro executed highly malicious activity.  The macro immediately:

  1. Downloaded and executed a visual basic script
  2. Imported external functions from the web and ran them
  3. Spawned a shell
  4. Connected to a remote server
  5. Actively began work to evade the computer’s built-in anti-virus

Each one of the attacks originated from a different email, and each one of them targeted a different employee.  Two of the employees were administrative assistants, one was in accounting, and two others were in general administration.

This follows a pattern where hackers don’t necessarily need to infiltrate sensitive accounts, such as those belonging to senior executives in the company or someone in IT.

Instead, they seek to infiltrate the “weakest link” in the company in terms of security, and unsuspecting users typically fit that bill perfectly. After they infect an account or an endpoint, they typically proceed to infiltrate the rest of the organization from within, quietly before anyone ever realizes.

These are two typical modes of operation:

  • After infecting one of the accounts (e.g., with a resume attack), they will then send a new threat to a different account using the email of the original employee infected.

(2) They infect an account and track who in the company oversees wire transfers, invoices, and so forth.  Then they will use that information to launch a targeted spear phishing attack.

The emails were written casually with a friendly manner, and were designed to impersonate a colleague asking another colleague about their opinion about a resume.  Seems innocent enough, yes?

In all cases, the email was opened by the employee because they mistakenly thought it was a legitimate resume that was sent to them.

This threat underscores the importance of always following best practices when dealing with email.  For example:

  • Do not click on any links in email. Type the address directly into your browser.
  • Do not open suspicious attachments, even if they seem to be from someone you trust.
  • Keep endpoint antivirus, patches, and other software updated.
  • Do not reveal sensitive personal or company information in email.
  • If you aren’t sure of whether an email is legitimate, verify by contacting the company or person directly on the phone, or through legitimate communications you have previously received from that company. (Not email.)

WHAT TO DO NOW:  In an ideal world your network and individual computer systems would be protected from any virus or malware.

However, if you haven’t noticed, we do not live in a perfect world.

We offer the most comprehensive security protection available, however there are thousands of new viruses created daily.  Therefore your organization needs the best security, but also your people have to be trained how to avoid clicking where they should not.

Is your company secure?  Find out at no cost and without interrupting your much of your day.  For a limited time you can schedule a no cost, no obligation network security assessment from us today.

It is better to assess your security BEFORE there is a break-in.