Phishing Using XPS Files

Posted By: Jessica Patterson - 10/23/2018 12:00:00 AM

Bad guys are using lesser-used file extensions (i.e. XPS) to confuse recipients, tricking them into opening attachments they normally wouldn’t have opened. The .xps file extension is Microsoft’s alternative to the pdf file. It can be used just as a normal pdf file would be used, to send files for others to view & sign all while protecting the master document. 

The following email was sent out from a compromised employee email account. The initial XPS document does not contain anything that would flag the email as spam or malicious.


Once the phishee opens the document, they are directed to an attached document (below), that then directs them to click on another link.

This link sends the user to a fake Microsoft webpage that prompts the user to enter their email address, and if they proceed in this direction then the next image will ask for the user’s password.  Once the password is entered, the screen will either be directed to an unexpected page or nothing will happen.  The user has now handed their carefully chosen, ultra-secure password over to the bad guys to begin using their account as they see fit.


 Helpful Hints:

  • Be very wary of any attachment or link inside of an email that you were not expecting. Even if you know the person who sent it!
  • Watch for XPS file extensions, or other file extension that you are not familiar with.
  • NEVER give your email password out in order to open an attachment.
  • Check URL addresses on login pages, before you login.
  • Watch for unprofessional looking login pages, graphics that aren’t centered, or spelling/punctuation errors.
  • Call the person who sent the attachment.
  • Warning Sign: Nothing happened when you logged in.

What You Should Do:

If you do happen to login to one of these, immediately change your password on your email and any other account that uses this password, then call your IT Support department. Runbiz  806.322.2150.

PO BOX 51207 
Amarillo, Texas 

Great care has been taken in producing this compilation of resources. Citations are given as possible, but please know that this piece of work is from a collection of extraordinary minds.