Corrupted Microsoft Office documents and archive files have been used to evade detection in a recent phishing campaign, according to ANY.RUN.

The files are intentionally corrupted to prevent scanning by email filters and antivirus software, and to prevent them from launching properly in sandbox environments, according to ANY.RUN. However, the files can still be recovered and read when launched with specific software such as Microsoft Word for DOCX files and WinRAR for ZIP archives.

“This is a new and interesting way to bypass content-filtering security defenses. I’ve been in cybersecurity for over 36 years and I don’t remember this tactic before,” noted Roger Grimes, data-driven defense evangelist at KnowBe4, in an email to SC Media. “The scammers not only had to make a corrupt document that would stymie content-filters, but ensure that the corruption was minor enough that Word would always be able to recover it.”

The campaign has been active since at least August 2024, and uses QR codes in documents to spread links to phishing websites disguised as Microsoft account login pages. In examples posted by ANY.RUN, the documents have been attached to emails mean to look like notices from human resources regarding the target’s salary or employment benefits.