Subway UK phishing attack is pushing TrickBot malware

BleepingComputer was today alerted to a new phishing campaign pretending to be Subway order confirmations targeting people from the United Kingdom.

What is concerning about these phishing emails is that they include the user’s first name, and some users are reporting they are being sent to emails only used for Subway. This attack may indicate a data breach at Subway UK that allowed the threat actors to gain access to customer’s names and email addresses.

The emails ask the user to click on various links as their “order documents are ready and awaiting confirmation.” Once you click a link you are directed to various hacked websites that load a ‘FreshBooks’ phishing page when clicked on. Clicking on any of the links on this landing page will download an Excel spreadsheet.

Depending on the variant of the phishing email you received, the Excel spreadsheet may be password protected. Once the password is entered, a fake and malicious DocuSign phishing attachment will be displayed. This document states that there is a problem previewing the document, and you need to click on ‘Enable Editing’ and ‘Enable Content’ to view it.

If a recipient enables the content, it will also enable malicious macros embedded in the Excel spreadsheet that download and install the TrickBot malware.