HomeWinBuzzer NewsMicrosoft Outlook Targeted by New Gamaredon Threat Tactic

Microsoft Outlook Targeted by New Gamaredon Threat Tactic

The Gamaredon threat group has debuted a new phishing attack that targets Microsoft Outlook through the platform’s contacts.


Gamaredon is a threat group that has created a new VBA macro to attack users by accessing their contacts. According to researchers, a new version of the Gamaredon post-compromise toolset can create a new type of threat.

Specifically, the threat group has added a new Visual Basic for Applications (VBA) macro to the toolkit. This allows bad actors to enter Outlook accounts through spear-phishing campaigns set to user contacts.

Of course, a spear phishing campaign conducted through email is hardly anything new. However, security teams say this method of compromising an inbox is the first public example of an attack that combines Outlook macro with OTM.

If you're unfamiliar with OTM, it is a file that store macros for Microsoft Outlook.

“In the last few months, there has been an increase in activity from this group, with constant waves of malicious emails hitting their targets' mailboxes,” according to Jean-Ian Boutin, senior malware researcher with ESET, in a Thursday analysis. “The attachments to these emails are documents with malicious macros that, when executed, try to download a multitude of different malware variants.”

Attack Method

Attackers can target users through emails that have attachments. Like most , this involves a legitimate looking email that tricks users into clicking a link. When an Outlook user is compromised by the attack, the bad actor can send malicious in a 7z self-extracting archive

This malicious cost runs the BVScript that ends the Outlook process and removes security protections from the VBA macro. An infected OTM file is then placed onto the device storage. Attackers can then use this access to send emails to contacts in the victims Outlook.

Like the initial attack, the email sent to other contacts also contains an attachment with malicious code. Because the email comes from a seemingly legitimate contact, the recipient may be more likely to open the link.

Luke Jones
Luke Jones
Luke has been writing about all things tech for more than five years. He is following Microsoft closely to bring you the latest news about Windows, Office, Azure, Skype, HoloLens and all the rest of their products.

Recent News