Using a few of the details shared about it - namely, that the email contained an attachment called 2011 Recruitment plan.xls, and "2011 Recruitment Plan" in the subject line - F-Secure researcher Timo Hirvonen burrowed for months in the malware database shared by Virus Total with security companies, in the hopes that the attached file was uploaded for a check by someone.
As it turns out, both the email and the attachment were uploaded. Here is how it looks like (click on the screenshot to enlarge it):
With a "From" email address spoofed to look like it was coming from the web master of recruiting website Beyond.com, it was sent to an EMC employee and CC'd to three others on the 3rd of March.
The attached Excel spreadsheet contained a Flash object that was executed by Excel and took advantage of a vulnerability to install the Poison Ivy backdoor on the victim's computer.
The backdoor then proceeded to contact a server from which the attacker was able to access remotely the workstation and other network drives, and from that, to the rest of the network.
"The attack email does not look too complicated," points out F-Secure. "In fact, it's very simple. However, the exploit inside Excel was a zero-day at the time and RSA could not have protected against it by patching their systems."
According to Computerworld, RSA was contacted but has not confirmed that the found email is one of the two that wreaked such havoc in the company.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.