Malware attack blasted out in "Important Changes to Microsoft Services agreement" email

Filed Under: Featured, Malware, Microsoft, Spam

Microsoft logoIf you received an email, apparently from Microsoft, claiming to be about "Important Changes to Microsoft Services Agreement" would you trust it?

From the naked eye, after all, it looks professionally presented, has Microsoft's funky new logo.. what could be wrong with this? (Feel free to click below for a larger version if you want to take a closer look.)

Malicious email. Click for larger version

Part of the email reads as follows:

Message body:

We've updated the Microsoft Services Agreement , which governs many of our online services - including your Microsoft account and many of our online products and services for consumers, such as Hotmail, SkyDrive, Bing, MSN,, Windows Live Messenger, Windows Photo Gallery, Windows Movie Maker, Windows Mail Desktop and Windows Writer. Please read over the new Microsoft Services Agreement in the attached file to familiarise yourself with the changes we've made.

The updated agreement will take effect on 19 October, 2012. If you continue to use our services after 19th October, you agree to the terms of the new agreement or, of course you can cancel your service at any time.

We have modified the agreement to make it easier to read and understand, including using a question and answer format that we believe makes the terms much clearer. We also clarified how Microsoft uses your content to better protect consumers and improve our products, including aligning our usage to the way we're designing our cloud services to be highly integrated across many Microsoft products. We realise you may have personal conversations and store personal files using our products, and we want you to know that we prioritise your privacy.

The text of the email *is* apparently genuine, as there was an actual Microsoft message - dated August 27 - that can be viewed here.

The clue which should ring your alarm bells about this latest email, however, comes in the attached file: Microsoft-Services-Agreement.pdf.exe.

To those lacking in caution (or indeed, those Windows users who haven't told their operating system to show filenames in full) the attached file might appear to be an Adobe PDF document rather than an executable file.

But sure enough, it is an EXE file. And it will embed itself as a backdoor Trojan horse in your Registry to automatically run on startup.


Of course, the emails were not sent by Microsoft at all. Cybercriminals have forged the email header to trick unsuspecting users into believing the communication is legitimate, and click on the attached file.

So, don't be fooled by fancy fonts, trustworthy names and bland corporate-style emails like the above. Not all malware threats are spammed out posing as scandalous videos of Olympic gymnasts or a pigtail-wearing young woman who claims she went to school with you.

Sophos products detect the malware used in this attack as Troj/Backdr-HG.

, ,

You might like

17 Responses to Malware attack blasted out in "Important Changes to Microsoft Services agreement" email

  1. Peter de la Bastide · 1117 days ago

    I sent a query concerning this to Sophos on August 30 immediately after receiving the counterfeit notification from Microsoft. It didn't look or sound right to me.

    Chester Wisniewski replied (in 37 mins) to my one word query, "Legit?" with "Appears so."

    Good thing I decided to follow my own instincts, eh?

    • Graham Cluley · 1117 days ago

      But did the one you received in August, have a .pdf.exe attachment?

      I believe the wording is based on a genuine email from Microsoft - the bad guys have added the malware as a nasty side dish.

      • Kaws · 1116 days ago

        The ones that were going around in August had the same wording as a previous Microsoft Service Agreement update like this one, but they didn't have a malicious attachment. They all had malicious links instead.

  2. Jennifer Evans · 1117 days ago

    Usually these things are obvious because the English is so bad, but this one was very good apart from the British date format. But since I never signed an agreement with Microsoft, I'd have been suspicious about that. And I don't hide extensions, so I would have seen the .exe.

  3. Melissa · 1117 days ago

    What raised alarm bells for me is the UK spelling of words such as "familiarise" and "prioritise." A US-based company like Microsoft would use the American English spellings of "familiarize" and "prioritize."

  4. John · 1117 days ago

    Dutch translation isn't that bad either! Very easy to fall for...

  5. Camroc · 1117 days ago

    I received this same email into one of my Hotmail accounts , but with a slight change.
    It has no attachment and where your one says "in the attached file" , mine just says "here" , which points to " http://email (dot) microsoft (dot) com (slash) Key-****.*.****.*.**.**** "

    Links look legit but I dont think this would do much good because its not as if anyone would bother to read the T&C agreements :)

  6. njt · 1117 days ago

    I received the 'legitimate' version only yesterday (dated Sept 16 2012)
    Like above the last line of the first paragraph is "Please read over the new Microsoft Services Agreement here to familiarise yourself with the changes we've made. " where "here" is a link to the agreement, and not an attached file, but otherwise the wording matches.

    I was a bit surprised with the "of course you can cancel your service at any time" line as I did not think that Microsoft would sound so condescending to their customers, but I supposed it is the times.

  7. Mkaysi · 1117 days ago

    I received message with that subject, but I didn't notice any attachments. I was a little tired and only wondered why is Microsoft sending email to my old address, I changed my address when gave option for it.

  8. Patrick McDonald · 1117 days ago

    I received a message from microsoft(?) dated 09/11/12 which mentioned no attached file, but had a clickable "here", which I did click on. The text was as shown. Should I be concerned?

  9. Nathan Patroni · 1117 days ago

    I got 3 of these emails, one was legitimate and two of them contained the trojan.

  10. Ian · 1116 days ago

    My email was dated 1/9/2012 but I didnt open the link. It was listed as being from a trusted site - and had the green shield alongside it.

  11. Anne · 1116 days ago

    The wording matches but the punctuation in one spot is slightly different. In the first sentence, "We've updated the Microsoft Services Agreement," the legitimate email has no space between the word "Agreement" and the following comma and the underscoring does not extend to the comma. The forged email has a space there. It's a little difficult to see because of the underscoring which extends to include the comma.

    • Anne · 1116 days ago

      Sorry, it should read, "extends to include the space before the comma."

    • Anne · 1116 days ago

      Correction: The last sentence should read, "extends to include the space before the comma."

  12. barbara · 1116 days ago

    Please be patient w/me but I have a question re Java. I keep getting reminders that Java updates are available (for me to install) put out by Sunmicro Systems, Inc. Is Java still "virusy" or do I have the wrong end of the stick?? Many thanks for any advice.

  13. Fiona · 1114 days ago

    Ok I am a bit computer dumb, I do have my settings to show full file extentions but without clicking on one of the blue links how can I see what the file name is? Can you tell I have received one of these e-mails, thank goodness I had not clicked on any of the links, I had saved the e-mail to look at later, I have now deleted it!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog at, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley