The email comes complete with a faked disclaimer message saying the email is from Microsoft and a false note claiming antivirus software scanned the attachment and it appears safe, Cisco wrote in a blog post. Ransomware variant CTB-Locker encrypts victims' files if they download the attached zip file.
Although the attackers try masking their efforts, the phony emails ultimately don't hold up to serious scrutiny.
For instance, the “from” address is update[at]Microsoft.com. However, the email header demonstrates that the message originated from an IP address in Thailand. Another giveaway includes characters that don't parse correctly in the email body, which could be due to the target audience or the character set the adversaries used to craft the email.