An ongoing wave of spam is sending out emails with a dangerous PowerPoint attachment. This file contains an obfuscated macro that, once activated, uses a combination of PowerShell and Mshta to run its malicious payload — a script that downloads either the Ave Maria or AgentTesla malware.
These are two common trojans which can steal data, download further payloads, and disable Microsoft Defender. Some of these payloads are hosted on legitimate cloud services in order to appear more trustworthy. One of the additional modules that is being downloaded is an information stealer for cryptocurrency wallets, which also monitors the clipboard for any Bitcoin transaction address that could be discretely replaced with its own.
The Acronis Advanced Email Security pack blocks malicious emails from reaching users' inbox, while Acronis Cyber Protect’s self-defense capabilities protect the agent itself from manipulation.