Malware attack blasted out in “Important Changes to Microsoft Services agreement” email


Microsoft logoIf you received an email, apparently from Microsoft, claiming to be about “Important Changes to Microsoft Services Agreement” would you trust it?

From the naked eye, after all, it looks professionally presented, has Microsoft’s funky new logo.. what could be wrong with this? (Feel free to click below for a larger version if you want to take a closer look.)

Malicious email. Click for larger version

Part of the email reads as follows:

Message body:

We've updated the Microsoft Services Agreement , which governs many of our online services - including your Microsoft account and many of our online products and services for consumers, such as Hotmail, SkyDrive, Bing, MSN,, Windows Live Messenger, Windows Photo Gallery, Windows Movie Maker, Windows Mail Desktop and Windows Writer. Please read over the new Microsoft Services Agreement in the attached file to familiarise yourself with the changes we've made.

The updated agreement will take effect on 19 October, 2012. If you continue to use our services after 19th October, you agree to the terms of the new agreement or, of course you can cancel your service at any time.

We have modified the agreement to make it easier to read and understand, including using a question and answer format that we believe makes the terms much clearer. We also clarified how Microsoft uses your content to better protect consumers and improve our products, including aligning our usage to the way we're designing our cloud services to be highly integrated across many Microsoft products. We realise you may have personal conversations and store personal files using our products, and we want you to know that we prioritise your privacy.

The text of the email *is* apparently genuine, as there was an actual Microsoft message – dated August 27 – that can be viewed here.

The clue which should ring your alarm bells about this latest email, however, comes in the attached file: Microsoft-Services-Agreement.pdf.exe.

To those lacking in caution (or indeed, those Windows users who haven’t told their operating system to show filenames in full) the attached file might appear to be an Adobe PDF document rather than an executable file.

But sure enough, it is an EXE file. And it will embed itself as a backdoor Trojan horse in your Registry to automatically run on startup.


Of course, the emails were not sent by Microsoft at all. Cybercriminals have forged the email header to trick unsuspecting users into believing the communication is legitimate, and click on the attached file.

So, don’t be fooled by fancy fonts, trustworthy names and bland corporate-style emails like the above. Not all malware threats are spammed out posing as scandalous videos of Olympic gymnasts or a pigtail-wearing young woman who claims she went to school with you.

Sophos products detect the malware used in this attack as Troj/Backdr-HG.