RTF files are a popular type of file used by hackers to send phishing emails. They can be easily converted into HTML or PDF, which makes them easy to create and distribute. This makes them a favorite tool of hackers, who can use them to disguise themselves as legitimate websites or email recipients. One common way hackers use RTF files is to use them in phishing campaigns. This is when they send you an email that looks like it’s from a reputable website, but is actually a scam. The email will ask for your personal information, such as your name and address, and then will ask you to click on a link in the email to take you to a page where you’ll be asked to provide your personal information again. If you’re tricked into clicking on the link, you’ll then be taken to a page where you’ll be asked for your personal information again. This time, however, the RTF file that was used in the original phishing campaign will have been replaced with an HTML or PDF document that looks like it’s from the original website. If you’re ever asked for your personal information in an email that looks like it’s from a reputable website but is actually from a scammer, don’t click on it. Instead, report the email to your computer security company or police department so that they can investigate the situation further.


Researchers at Proofpoint first spotted the malicious RTF template injections in March 2021, and the firm expects it to become more widely used as time goes on.

Here’s what’s happening, according to Proofpoint:

To put it simply, threat actors are placing malicious URLs in the RTF file through the template function, which can then load malicious payloads into an application or perform Windows New Technology LAN Manager (NTLM) authentication against a remote URL to steal Windows credentials, which could be disastrous for the user who opens these files.

Where things get really scary is that these have a lower detection rate by antivirus apps when compared to the well-known Office-based template injection technique. That means you might download the RTF file, run it through an antivirus app and think it’s safe when it’s hiding something sinister.

So what can you do to avoid it? Simply don’t download and open RTF files (or any other files, really) from people you don’t know. If something seems suspicious, it probably is. Be careful what you download, and you can mitigate the risk of these RTF template injection attacks.

RELATED: Want to Survive Ransomware? Here’s How to Protect Your PC