Christmas malware spreading fast: Protect yourself now

Four women wearing ugly Christmas sweaters.
You could argue these people kind of deserve it, though. (Image credit: Sergei Bachlakov/Shutterstock)

It's time for ugly Christmas sweaters — and for ugly Christmas-themed malicious spam emails. 

A new malspam campaign dumps an email in your inbox marked "Christmas Party," "Christmas Party next week," "Party menu," "Holiday schedule" or something similar. But the attached Word document delivers a lump of coal: the notorious Emotet Trojan malware

"HAPPY HOLIDAYS," begins the email, as spotted by Microsoft and Cofense Labs. "I have attached the menu for the Christmas Party next week. If you would like bring something, look at the list and let me know. 

"Don't forget to get your donations in for the money tree," the email adds. "Also, wear your tackiest/ugliest Christmas sweater to the party." Sometimes it adds, "Details in the attachment."

How the Christmas attack works

Because Emotet spreads from one Windows machine to another by raiding infected people's email contact lists, the malicious email may greet you by name and come from someone you know. So you'll be tempted to open the attached document. 

If you're running Word, the program will open the document in Protected Mode. But the people behind Emotet need you to turn off Protected Mode and enable macros. 

So what you may see in the now-visible document will be a stolen Microsoft Office logo and the words, "This document was created in OpenOffice. To edit this document, click Enable Editing from the yellow bar above. Once you have enabled editing, please click Enable Content button from the yellow bar above."

Once you click those buttons, though, you enable macros, the Office scripting functions that permit Emotet to infect your machine. And once Emotet is installed, it can do practically anything: download more malware, steal confidential information such as passwords or account numbers, get access to your online bank account or set up your computer as a cog in a botnet

One thing the malware will definitely try to do is rifle through your contacts list and send everyone on it more Emotet-laden malicious spam emails.

How to avoid Emotet infection

To make sure your holidays don't end up as ugly as your co-workers' sweaters, follow a few simple steps:

Make sure macros are turned off in Word. In Word for Windows, go to File > Options > Trust Center > Trust Center Settings > Macro Settings, and choose "Disable all macros with notification". 

In macOS, it's Word > Preferences > Personal Settings > Security & Privacy > Macro Security and choose "Warn before opening a file that contains macros." Emotet doesn't infect Macs, but other forms of malware that do may be attached to these emails.

Don't enable editing or content on Word documents that come attached to emails. You'll be able to read them just fine.

Run Windows as a limited user. There are two kinds of Windows user accounts: administrator accounts with the power to install or update software, and limited accounts without that power. If you use a limited account for day-to-day activities, your chances of malware infection drop dramatically.

Use one of the best antivirus software programs. A good antivirus program will catch and stop an Emotet infection.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.