At the RSA security conference today, Google offered a rare look into the kinds of malicious attachments hackers will send to Gmail users. It turns out Microsoft Office documents secretly rigged to download malware are in vogue.

In recent weeks, about 56 percent of the malicious attachments detected and blocked by Gmail’s filters have been Microsoft Office documents, according to Google’s anti-abuse research leader, Elie Bursztein.

These malicious Office documents can often contain “macros,” or series of automated commands in the file. If you enable the macros, the malicious document will be able to download and execute the hacker’s desired malware.

The remaining 44 percent of the malicious documents Google will block include Adobe PDF documents, archived files, and HTML-based documents, among others. (By default, Gmail will also prevent users from attaching .exe programs and Javascript files to email messages.)

During his presentation, Bursztein also supplied a snapshot of the organizations and countries most frequently targeted with the malicious documents. To no one's surprise, the attacks most often target government organizations. Industries involved in transportation, utilities, and manufacturing are frequent targets as well.

Curiously, Norway was the top country targeted by the malicious documents, followed by the UK, Finland, and the US. Bursztein said he didn’t have any evidence to explain why. However, the snapshots he supplied only pertained to Gmail messages sent in recent weeks, and don’t reflect a yearly, or long-term historical trend.

However, one trend that has remained consistent is how the hackers are constantly modifying their harmful attachments. Currently, about 63 percent of the malicious documents Google blocks will technically be different from all previous bad attachments encountered, he added.

That all said, the tweaks can be small. The hackers will often end up changing a few lines of text or code to try and evade the anti-spam and malware filters Gmail and other email services use to catch phishing messages. But despite the modifications, the malicious attachments will rely on the same overarching attacks.

So who’s behind all these malicious emails? Bursztein blamed part of the problem on hacker-developed “phishing kits,” which can automate the whole process of sending a massive volume of spam email messages to victims across the internet. The same services will let buyers package the emails with malicious files, including ransomware. Access to such kits can be sold for $400 to $5,000 in hacker forums, Bursztein said.

The good news is that Google says it blocks more than 99.9 percent of the spam and phishing messages that target Gmail users. Nevertheless, the company is scanning 300 billion attachments each week, so missing a small percentage of malicious emails can still pose a danger to numerous Gmail users.

At the same time, the hackers —especially cyberspies from governments— are constantly upgrading their attacks with new techniques to evade Google’s anti-spam filters. However, the company has found a promising way to fight back; it’s been experimenting with a new AI-powered scanner to more closely analyze documents for any potential malicious behavior. The scanner will go as far as extracting the macros and other suspicious features from an Office document to deduce whether the file may be malicious.

“Since the new scanner launched at the end of 2019, we have increased our daily detection coverage of Office documents that contain malicious scripts by 10 percent,” Bursztein wrote in a Google security blog post on the same day. In some cases, the detection rate can rise to more than 150 percent, he added.

For now, the new AI-powered malicious document scanner will forward any flagged emails to your spam folder. All other blocked emails with the malicious attachments are immediately purged, preventing them from ever ending up in your email inbox.

Further Reading

Security Reviews