We had a user today receive an email with "See enclosed report" in the message body, and a random name as the email subject. Attached was a .dot file which presumably was macro-enabled. One of our users (I have been pushing for removing admin rights and setting application whitelisting for months, but hey, I'm the new guy, so...) clicked into the .dot and got herself infected. Trend Micro caught the residual breadcrumbs but only after being infected.
The next thing it did was it found another machine on the network which had a USB-drive attached and shared and began to encrypt THOSE files as well.
We didn't get a chance to thoroughly analyze what was going on, but it definitely dropped a .VBS in the user's appdata folder and executed that. The interesting thing about the file was that all the variables, objects, functions, etc. were named with a random set of alphanumeric characters, so it LOOKED encrypted, but it wasn't. Presumably to circumnavigate pattern-based detection.
In any case, this rolled right on through our Barracuda Spam Filter - they didn't have the definitions for the infection yet until an hour after we had cleaned up the mess.
The mail content:
Please find latest report attached.
Attached file: 263_2567rh.dot
Obviously, the names and filenames are different per each email, but this was the format of the incoming infection this AM.
Just a head's up for everyone - keep any eye out.
Also, guess what I got approved to do starting tomorrow? Application whitelisting and removing admin rights...FINALLY.