{
	"id": "e3295f45-8059-44de-bbc5-99d3499b9833",
	"created_at": "2026-04-06T00:16:00.037305Z",
	"updated_at": "2026-04-10T03:21:51.8126Z",
	"deleted_at": null,
	"sha1_hash": "fde253149b1eb4c7fc9f8781900d428114aaa395",
	"title": "New Emotet attacks use fake Windows Update lures",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1909537,
	"plain_text": "New Emotet attacks use fake Windows Update lures\r\nBy Catalin Cimpanu\r\nPublished: 2020-10-15 · Archived: 2026-04-05 22:56:31 UTC\r\nIn today's cyber-security landscape, the Emotet botnet is one of the largest sources of malspam — a term used to\r\ndescribe emails that deliver malware-laced file attachments.\r\nThese malspam campaigns are absolutely crucial to Emotet operators.\r\nThey are the base that props up the botnet, feeding new victims to the Emotet machine — a Malware-as-a-Service\r\n(MaaS) cybercrime operation that's rented to other criminal groups.\r\nTo prevent security firms from catching up and marking their emails as \"malicious\" or \"spam,\" the Emotet group\r\nregularly changes how these emails are delivered and how the file attachments look.\r\nEmotet operators change email subject lines, the text in the email body, the file attachment type, but also the\r\ncontent of the file attachment, which is as important as the rest of the email.\r\nThat's because users who receive Emotet malspam, besides reading the email and opening the file, they still need\r\nto allow the file to execute automated scripts called \"macros.\" Office macros only execute after the user has\r\npressed the \"Enable Editing\" button that's shown inside an Office file.\r\nenable-editing.png\r\nImage: Microsoft\r\nTricking users to enable editing is just as important to malware operators as the design of their email templates,\r\ntheir malware, or the botnet's backend infrastructure.\r\nhttps://www.zdnet.com/article/new-emotet-attacks-use-fake-windows-update-lures/\r\nPage 1 of 4\n\nAcross the years, Emotet has developed a collection of boobytrapped Office documents that use a wide variety of\r\n\"lures\" to convince users to click the \"Enable Editing\" button.\r\nThis includes:\r\nDocuments claiming they've been compiled on a different platform (i.e., Windows 10 Mobile, Android, or\r\niOS) and the user needs to enable editing for the content to appear.\r\nDocuments claiming they've been compiled in older versions of Office and the user needs to enable editing\r\nfor the content to appear.\r\nDocuments claiming to be in Protected View and asking the user to enable editing. (Ironically, the\r\nProtected View mechanism is the one blocking macros and showing the Enable Editing button/restriction.)\r\nDocuments claiming to contain sensitive or limited-distribution material that's only visible after the user\r\nenables editing.\r\nDocuments showing fake activation wizards and claiming that Office activation has been completed and\r\nthe user only needs to click enable editing to use Office; and many more.\r\nBut this week, Emotet arrived from a recent vacation with a new document lure.\r\nFile attachments sent in recent Emotet campaigns show a message claiming to be from the Windows Update\r\nservice, telling users that the Office app needs to be updated. Naturally, this must be done by clicking the Enable\r\nEditing button (don't press it).\r\nemotet-windows-update.jpg\r\nImage: @catnap707/Twitter\r\nAccording to an update from the Cryptolaemus group, since yesterday, these Emotet lures have been spammed in\r\nmassive numbers to users located all over the world.\r\nPer this report, on some infected hosts, Emotet installed the TrickBot trojan, confirming a ZDNet report from\r\nearlier this week that the TrickBot botnet survived a recent takedown attempt from Microsoft and its partners.\r\nThese boobytrapped documents are being sent from emails with spoofed identities, appearing to come from\r\nacquaintances and business partners.\r\nFurthermore, Emotet often uses a technique called conversation hijacking, through which it steals email threads\r\nfrom infected hosts, inserts itself in the thread with a reply spoofing one of the participants, and adding the\r\nboobytrapped Office documents as attachments.\r\nThe technique is hard to pick up, especially among users who work with business emails on a daily basis, and that\r\nis why Emotet very often manages to infect corporate or government networks on a regular basis.\r\nIn these cases, training and awareness is the best way to prevent Emotet attacks. Users who work with emails on a\r\nregular basis should be made aware of the danger of enabling macros inside documents, a feature that is very\r\nrarely used for legitimate purposes.\r\nKnowing how the typical Emotet lure documents look like is also a good start, as users will be able to dodge the\r\nmost common Emotet tricks when one of these emails lands in their inboxes, even from a known correspondent.\r\nhttps://www.zdnet.com/article/new-emotet-attacks-use-fake-windows-update-lures/\r\nPage 2 of 4\n\nBelow is a list of the most popular Emotet document lures, according to a list shared with ZDNet by security\r\nresearcher @ps66uk.\r\nemotet-windows-10.png\r\nImage: Cryptolaemus\r\nemotet-ios.png\r\nImage: Sophos\r\nemotet-android.jpg\r\nImage: @pollo290987/Twitter\r\nemotet-openoffice.png\r\nImage: @ps66uk/Twitter\r\nemotet-office.png\r\nImage: Cryptolaemus\r\nemotet-office-rus.jpg\r\nImage: Cryptolaemus\r\nemotet-word.jpg\r\nImage: @JAMESWT_MHT/Twitter\r\nemotet-word-2.png\r\nImage: @ps66uk/Twitter\r\nemotet-word.png\r\nImage: @ps66uk/Twitter\r\nemotet-word-eror.png\r\nImage: @ps66uk/Twitter\r\nemotet-activation-wizard.png\r\nImage: @Myrtus0x0/Twitter\r\nemotet-red-dawn.jpg\r\nImage: Cryptolaemus\r\nemotet-protected.jpg\r\nImage: @catnap707/Twitter\r\nemotet-protected.png\r\nImage: @ps66uk/Twitter\r\nemotet-interruption.png\r\nImage: @ps66uk/Twitter\r\nhttps://www.zdnet.com/article/new-emotet-attacks-use-fake-windows-update-lures/\r\nPage 3 of 4\n\nSource: https://www.zdnet.com/article/new-emotet-attacks-use-fake-windows-update-lures/\r\nhttps://www.zdnet.com/article/new-emotet-attacks-use-fake-windows-update-lures/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.zdnet.com/article/new-emotet-attacks-use-fake-windows-update-lures/"
	],
	"report_names": [
		"new-emotet-attacks-use-fake-windows-update-lures"
	],
	"threat_actors": [],
	"ts_created_at": 1775434560,
	"ts_updated_at": 1775791311,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fde253149b1eb4c7fc9f8781900d428114aaa395.pdf",
		"text": "https://archive.orkl.eu/fde253149b1eb4c7fc9f8781900d428114aaa395.txt",
		"img": "https://archive.orkl.eu/fde253149b1eb4c7fc9f8781900d428114aaa395.jpg"
	}
}