Email Phishing via XPS Files

Over the past month, some phishing attempts using xps files instead of the typical pdf or doc/docx formats have been captured by our filters. The xps file format is Microsoft’s alternative to pdf files. Windows machines with Vista or later operating systems natively support this extension with Windows xps file viewer. Actors have started taking advantage of this lesser-utilized format for their phishing campaigns.

Phishing Examples
AppRiver’s SecureTide email filtering has captured a wide range of these phishing messages. So far, they appear to be attributed to threat actors currently conducting Business Email Compromise (BEC) attacks. Attacks originate from legitimate (compromised) senders with the similar techniques, tactics, and procedures.

Viewing the XPS File
Users should not open or view unsolicited attachments, even from a known sender without intense scrutiny and/or verification. Scammers do exploit the trust that known contacts share. Hopefully a user will never see one of these, however, this is what these attached files look like when opened in an isolated test environment.

This information was brought to you by AppRiver. For more information and examples of phishing, follow this link: //blog.appriver.com/2018/05/bec-attacks-evolve-to-phishing-via-xps-files-appriver