Hackers exploit corrupted ZIP and Office files to bypass email security

A phishing campaign is using damaged file attachments to sidestep antivirus and spam filters, allowing malicious emails to reach users undetected.

What happened

Security researchers at ANY.RUN has identified an active phishing campaign that uses intentionally corrupted Microsoft Office documents and ZIP archives to evade detection. These files are structured to avoid being scanned or flagged by antivirus software, email gateways, and Outlook spam filters.

The attachments are distributed through emails containing fake messages about employee benefits or bonuses. Though the files are corrupted, they are designed to open successfully thanks to built-in recovery functions in tools like Microsoft Word, Outlook, and WinRAR.

Going deeper

The corrupted files bypass scanning by remaining unreadable to most email security tools and sandbox environments. However, once opened by the user, applications like Word or WinRAR attempt to “recover” the content, allowing the embedded malicious payload to activate.

In this campaign, the payload typically takes the form of embedded QR codes. When scanned, these codes lead to malware-infected websites or spoofed login pages intended for credential theft.

ANY.RUN reports that this technique has been in use since at least August 2024. It may represent a zero-day or, at minimum, a widely unaddressed detection gap. Because the corrupted files technically still operate within the normal behavior of operating systems, they remain invisible to many conventional security systems.

What was said

ANY.RUN outlined the novelty of the technique in a series of public posts, noting: “The file remains undetectable by security tools, yet user applications handle it seamlessly due to built-in recovery mechanisms exploited by attackers.”

They warned that these attacks are not just slipping past filters, but also taking advantage of how common software attempts to repair or open damaged files.

The big picture

The campaign shows how phishing tactics are shifting toward techniques that exploit standard software behaviors rather than relying on obvious file-based threats. In this case, attackers used file recovery features to deliver malicious content in a way that avoids triggering traditional alerts. To reduce exposure, organizations may need to update detection rules and review how ZIP and Office attachments are handled, as these formats continue to be used for stealthy delivery methods.

FAQs

Why are corrupted files harder for antivirus tools to detect?

Many antivirus programs rely on parsing the file structure to scan the contents. Corrupted files may not be fully readable, causing the scan to fail or be skipped.

How do QR codes fit into this phishing technique?

Instead of relying on links or macros, attackers embed QR codes in the document, prompting users to scan them with their phones, bypassing desktop-based defenses.

Can recovery modes in Office and WinRAR be disabled?

Not easily. These recovery features are designed to help users retrieve information from damaged files and are not typically configurable from a security perspective.

What security tools are effective against this type of attack?

Advanced threat protection solutions that analyze file behavior post-execution or perform heuristic analysis may be better suited to detect such threats.

What can organizations do to reduce risk from these types of attacks?

User awareness training, blocking ZIP/Office attachments from unknown sources, and using email filtering tools that analyze file metadata and behavior can help mitigate the threat.