Windows updates may be annoying, but they’re innocuous enough, right?

Think again.

A new wave of malware attacks are finding their way into computer systems by posing as Windows update alerts.

How it works

Here’s what happens: it all starts with a phishing email, not about a Windows update, but about one of the latest hot-button issues: Donald Trump, COVID-19, or counterfeit shipping notices, invoices, and resumes.

Users will not encounter the fake update notification until after opening any documents attached to the email. Bleepingcomputer, which first detected the attack, shared the following screenshot of what the update notification looks like:

A user’s computer will become infected if they click “enable editing.” This sets off malicious macros that will download the Emotet malware and install it on the user’s device. Forbes notes that the yellow bar makes this alert particularly deceptive:

Why use a fake Windows Update alert? The answer lies in the yellow bar at the top of the document. Microsoft Word and the other Office apps have built-in protections designed to thwart document-based attacks. The Protected View warning is one of those.

How can you detect a malware attack like this?

An astute observer would easily notice some red flags in the fake Windows update alert box. For example, a genuine alert from Windows would be correctly spelled, instead of saying “These programs need to be upgrade.”

Forbes also points out:

It’s also important to note that Microsoft won’t notify you about Office updates this way. Instead, you’ll see a yellow bar at the top of the app window. It looks a lot like the Protected View warning, except it begins “updates available.”

Always be on the lookout for potential scams – the tell is often revealed in subtle differences in your user experience. Never download attachments or open links from unknown senders, and be wary of what apps you download and sites you visit.