Microsoft Security E-mail Spoofs with Malware

Hi this is Christopher Budd,


We received some questions from customers about an e-mail that’s circulating that claims to be a security e-mail from Microsoft. The e-mail comes with an attached executable, which it claims is the latest security update, and encourages the recipient to run the attached executable so they can be safe.


While malicious e-mails posing as Microsoft security notifications with attached malware aren’t new (we’ve seen this problem for several years) this particular one is a bit different in that it claims to be signed by our own Steve Lipner and has what appears to be a PGP signature block attached to it.


While those are clever attempts to increase the credibility of the mail, I can tell you categorically that this is not a legitimate e-mail: it is a piece of malicious spam and the attachment is malware. Specifically, it contains Backdoor:Win32/Haxdoor. My colleagues over in the Microsoft Malware Protection Center (MMPC) tell me that we have detections in place for this particular piece of malware in all of our antivirus and antispyware products (Windows Defender, Microsoft Malicious Software Removal Tool (MSRT), Microsoft Forefront Security for Exchange Server, Microsoft Forefront Client Security, Windows Live OneCare, and the Windows Live OneCare Safety Scanner). They’ve posted some information on their weblog located here. A reminder that you can always submit suspected malware to the MMPC by going here.


While we’re talking about malicious attempts to spoof our security notifications, I wanted to take a moment more generally to talk about our security notifications and things you can look for to better help you to spot these malicious spoofs.


First and foremost, we never, ever, ever send attachments with our security notification e-mails. And, as a matter of company policy, Microsoft will never send you an executable attachment. If you get an e-mail that claims to be a security notification with an attachment, delete it. It is always a spoof. You can think of our security notification e-mails as a notification for you to go the security bulletin to get the updates from the link in the bulletin to the Microsoft Download Center You should always get our security updates from the links in the bulletins or through our deployment tools such as Microsoft Update or Windows Update, Windows Software Update Services (WSUS) or Systems Center Configuration Manager.


Second, our security notification e-mails are always plain text only: we never use HTML e-mail for our security notification e-mails. If you receive an e-mail claiming to be a security notification that’s in HTML formatting, delete it. It is always a spoof.


Third, while we use Pretty Good Privacy (PGP) to sign our security notification e-mails, the mere presence of a PGP signature block in an e-mail doesn’t mean that the e-mail is authentic. If you want to authenticate a PGP signed e-mail that claims to be from us, be sure you get a copy of our current PGP signature here and use the PGP software to check the PGP signature against our signature.


Finally, if you’re not still not sure if a security notification e-mail that claims to be from us is legitimate, you can always just delete that e-mail and go to the TechNet security site directly. Everything that we send notifications by e-mail for is ultimately on the TechNet security site: Remember, the e-mail notifications are always just a pointer to the website.


In addition to the tips I’ve outlined here, we maintain a page that you can use or point others to that contains many of the tips I’ve outlined here.


Hopefully these tips will help you to better identify e-mail spoofs claiming to be from Microsoft and better protect yourself against these malware attacks.





*This posting is provided “AS IS” with no warranties, and confers no rights.*