A new phishing campaign is delivering malware through Microsoft Management Console (MMC) files, according to a report released on Apr. 9 by researchers at Securonix. The attack uses tax-themed lures and targets users in Pakistan, but experts warn that the use of .msc files in phishing attacks is becoming more common globally.
The campaign is notable because it leverages .msc files, which are typically used for legitimate administrative purposes. Researchers say this method allows attackers to execute embedded scripts or commands under the guise of trusted tools. “Threat actors can exploit these .msc files because of their ability to execute embedded scripts or commands under the guise of legitimate administrative tools,” the researchers explain.
The attack often begins with a phishing email containing either a malicious link or an attachment designed to look like an official tax document. “The lures and nomenclature used in the filenames and lure documents suggest that the campaign follows standard tax-themed phishing methods (Income-Tax-Deduction-and-Rebates202441712.pdf for example),” according to Securonix. All examined documents were written in English, with at least one appearing as a general tax document from the government of Pakistan.
Once opened, these MMC files can run arbitrary code without explicit user consent. The researchers note, “We observed the use of JavaScript, though the execution of VBScript is also supported. Therefore, any malicious code executed through the .msc file will execute under the context of mmc.exe.” They add that this flexibility makes MMC files particularly attractive for cybercriminals: “The robust flexibility of MMC files can be exploited maliciously since attackers can craft .msc files that, when opened, execute arbitrary code without explicit user consent.”
Securonix recommends caution when downloading attachments from unknown sources and highlights common file types used in such attacks: zip, rar, iso, and pdf formats are frequently seen as vehicles for malware delivery via email links or attachments.
As organizations face evolving threats like these phishing campaigns using MMC files, security awareness training remains an important defense against social engineering attacks.
