Phishing Campaign Exploits Fake Word Documents and Trusted Remote Access Tools

Researchers at ANY.RUN identified a phishing campaign exploiting fake Microsoft Word documents to bypass enterprise security controls by leveraging trusted remote access tools. The attack begins with a malicious Word file delivered via email, which executes a payload when opened, establishing persistence through legitimate remote administration software like AnyDesk or TeamViewer. The campaign targets organizations by abusing these tools’ inherent trust within corporate networks, evading detection by security operations centers (SOCs). No specific CVE IDs, victim counts, or geographic targeting details were disclosed. The threat highlights a blind spot in enterprise defenses where trusted applications are weaponized for initial access. Impact includes potential data exfiltration, lateral movement, and further malware deployment.