Cybercriminals Use Grammarly to Perfect Phishing Docs: A Hilarious Irony or Just Coincidence?

Threat actors are leveraging the CrowdStrike outage for social engineering, embedding malicious VBA code in Word documents. Remarkably, a custom GrammarlyDocumentId appears in these files. Are cybercriminals using Grammarly for polished phishing? Not quite. It seems they’re just recycling old documents. But hey, even malware deserves good grammar!

1P
Published: July 29, 2024 12:33 amAdded: July 28, 2024 at 5:50 pmAssembled by: The Editor
Pro Dashboard

Hot Take:

So, cybercriminals might be grammar nerds now? Or maybe they’re just recycling old essays for their latest phishing scams. Either way, they’ve got a way with words and malware!

Key Points:

  • Discovery of a malicious Word document (.ASD file) using CrowdStrike outage as bait.
  • Document metadata reveals the presence of a GrammarlyDocumentId, hinting at Grammarly’s potential involvement.
  • Comparison with CrowdStrike’s maldoc shows identical VBA code and fake certificate download.
  • Evidence suggests threat actors are quick to react, with the document created shortly after CrowdStrike’s faulty update.
  • No solid proof that Grammarly was used to correct texts; could be the result of reusing an old document.

Membership Required

 You must be a member to access this content.

View Membership Levels
Already a member? Log in here
The Nimble Nerd
powered by the NSA, er,  GDPR Cookie Compliance
Confessional Booth of Our Digital Sins

Okay, deep breath, let's get this over with. In the grand act of digital self-sabotage, we've littered this site with cookies. Yep, we did that. Why? So your highness can have a 'premium' experience or whatever. These traitorous cookies hide in your browser, eagerly waiting to welcome you back like a guilty dog that's just chewed your favorite shoe. And, if that's not enough, they also tattle on which parts of our sad little corner of the web you obsess over. Feels dirty, doesn't it?