Cybercriminals Use Grammarly to Perfect Phishing Docs: A Hilarious Irony or Just Coincidence?
Threat actors are leveraging the CrowdStrike outage for social engineering, embedding malicious VBA code in Word documents. Remarkably, a custom GrammarlyDocumentId appears in these files. Are cybercriminals using Grammarly for polished phishing? Not quite. It seems they’re just recycling old documents. But hey, even malware deserves good grammar!

Hot Take:
So, cybercriminals might be grammar nerds now? Or maybe they’re just recycling old essays for their latest phishing scams. Either way, they’ve got a way with words and malware!
Key Points:
- Discovery of a malicious Word document (.ASD file) using CrowdStrike outage as bait.
- Document metadata reveals the presence of a GrammarlyDocumentId, hinting at Grammarly’s potential involvement.
- Comparison with CrowdStrike’s maldoc shows identical VBA code and fake certificate download.
- Evidence suggests threat actors are quick to react, with the document created shortly after CrowdStrike’s faulty update.
- No solid proof that Grammarly was used to correct texts; could be the result of reusing an old document.
Already a member? Log in here