Fake Word Phishing Exploits Trusted Remote‑Access Tools, Exposing Enterprise Blind Spot
What Happened – Attackers sent malicious Microsoft Word documents that masqueraded as legitimate business communications. The documents leveraged trusted remote‑access utilities (e.g., AnyDesk, TeamViewer) to bypass perimeter defenses and harvest credentials.
Why It Matters for TPRM –
- Remote‑access vendors are often “trusted” in third‑party contracts, creating a blind spot when they are abused for credential theft.
- Phishing attacks that piggy‑back on legitimate tools can evade traditional email‑security controls, increasing supply‑chain risk.
- Compromise of remote‑access credentials can lead to lateral movement across multiple vendor environments.
Who Is Affected – Enterprises across all sectors that allow remote‑access SaaS tools for staff or third‑party support (technology, finance, healthcare, manufacturing, etc.).
Recommended Actions –
- Review all remote‑access vendor contracts for MFA, least‑privilege, and session‑logging requirements.
- Enforce strict email‑attachment scanning and user training focused on “trusted‑tool” phishing.
- Conduct periodic credential‑rotation and audit remote‑access session logs for anomalous activity.
Technical Notes – The campaign used a weaponized Word macro that invoked a legitimate remote‑access client’s URL scheme (e.g., anydesk://). No new CVE was disclosed; the abuse hinges on user interaction and existing trust relationships. Data at risk includes privileged credentials and internal network topology. Source: HackRead