Industry News

Beware malicious invoices spammed out via email


It’s been over 20 years since the first Word macro virus reared its ugly head and pulled the carpet from underneath the feet of computer users worldwide.

Up until then, it was pretty easy to know what to look out for – executable files (normally .EXE or .COM) and floppy disk boot sectors.

But macro viruses changed all that, infecting the templates inside Microsoft Office files – Word documents, Excel spreadsheets and Powerpoint presentations – where Microsoft had, rather unhelpfully from the security point of view, incorporated a macro language that could execute instructions.

And, of course, computer users were much more used to having Word documents and even (in some cases) spreadsheets sent to them via email than they were .EXE files, and so the opportunities for malware to spread successfully grew significantly.

Well, one thing I have learnt from my years in the computer security industry is that if the criminals find a technique that works, they put it to good use. And so, many years after macro viruses first caused problems, they continue to blight users’ systems today.

I was reminded of that fact at the end of last week and over the weekend when I found multiple samples in my inbox of a few malware campaigns that had been spammed out in the form of malicious Word documents.

Here are some typical examples of what they looked like.


Dear Valued Customer,

We are very grateful for your purchase. The specified sum of $453,71 was paid and now your order is being processed by our company.

Delivery information and the invoice can be found in the attached file.

Thank you!

Eddie Mathews
Sales Manager

In this case the email is using some fairly simply social engineering in an attempt to trick the recipient into opening a dangerous file. The criminals hope that people will be curious to know what company has charged the hundreds of dollars for an unknown product that they never ordered – and open the attachment without properly thinking of the consequences.

Bitdefender security products detect the malicious attachment as W97M.Downloader.AXE.

The criminals use a similar disguise in another malware campaign:


Dear brigitte ,

Scanned invoice in Microsoft Word format has been attached to this email.

Thank you!

Monique Wall
Sales Manager

Bitdefender security products detect this attack too, as W97M.Downloader.AXV.

In both examples, the emails disguise themselves as emailed invoices.

Sure, maybe you are savvy enough not to fall for such schemes – but chances are that you know people (perhaps elderly relatives or less clued-up friends) who might almost instantly rush to click on the attachment without thinking of the consequences.

In both cases, the poisoned Word document file attempts to download further malicious code from the internet, designed to infect your computer.

Ensuring that you do not enable macros when opening a Word document is one defence against attacks like this, but the best protection is to not open unsolicited Word documents in the first place – as you don’t know if they might have malicious code embedded inside them or if they will attempt to exploit a vulnerability in order to infect your PC.

In the past 20+ years we have seen many more sophisticated malware attacks, but the simple truth is that in many cases malware hasn’t had to evolve that much. Old tricks like this still work very effectively and because the typical computer user is still slow to learn how to defend themselves, the online criminals continue to infect PCs, steal information and hijack systems.

Like I said, these malware campaigns arrived in my inbox a couple of days ago. Although Bitdefender intercepts the infection before your computer is compromised, a quick scan of the file on VirusTotal suggests that some up-to-date products from other vendors are still failing to identify the malware.

About the author


Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.


Click here to post a comment
  • I remember when the I Love You malware first arrived. Was visiting a sister site walking around with my oppo, when one of the secretaries pulled him over regarding an attachment that just opened in Notepad and displayed what she described as gobbledygook. Turned out to be the VBS code for the malware, as Windows Scripting Host wasn’t installed. When pressed on why she was opening attachments from unknown sources, she replied “I wanted to see who it was that lived me!”.

  • Dear Graham,
    I used to talk to you when I was at the Guardian and you were at Sophos. I have been receiving these emails for ages now – sometimes as many as eight (all the same) in one go.
    They all defeat spam filters by hitting email addresses which then forward onwards.
    So I am a director of London Cycling Campaign and almost all of this spam comes via that. Spam filters see my lcc address and conclude it is fine. Otherwise, I would lose my legitimate mail. I am not too worried about these as I run my main computer on Ubuntu. But I do have concerns about their effect on my Android phone and tablets.
    Best wishes

  • I never open an unfamiliar senders email + as a result of finding this website I now Bitdefender 2016. It updates daily & promptly blocks dodgy sites and attachments