Trend Micro was alerted to the discovery of a recent threat that takes advantage of malicious search results generated from the Microsoft Office’s site.

This threat targets users looking for tips and help-related information on using Microsoft Office products on Microsoft’s official website, particularly those looking to delete meeting notices without notifying the other invitees.

Using the search string, “delete meeting without notifying invitees,” apparently led users to malicious results, which led to the download of two malicious files—webvirusscanner77.com.htm-1 (detected by Trend Micro as HTML_FAKEALE.JD) and Setup102_2045-10.exe-1 or Setup111060_2045-10.exe-1 (aka TROJ_FAKEXPA.IA).

Both files have been found to be FAKEAV variants. Once executed, they displayed fake scanning results and prompted users to buy bogus antivirus software.

According to Trend Micro threat researcher Normal Ingal, typing the search query into the site does not only search for results on the site but from the entire Web. This attack puts users particularly at risk, as the URLs generated by the said search query begins with http://office.microsoft.com, which may trick them into thinking they are still in safe waters when they actually are not. Fortunately, however, Microsoft has addressed the said issue.

Smart Protection Network™ protects Trend Micro product users by blocking user access to identified malicious sites and by preventing the download of all related malware.