Security researchers at F-Secure have unearthed what they think is the email used to hack RSA in March.
The initial aim of the attack is believed to have been the theft of military secrets from Lockheed Martin and Northrop Grumman. It compromised RSA's SecurID token system, forcing the company to offer more than 20,000 business customers new SecurID tokens.
But rather than use a sophisticated new technology, the attack used a familiar social engineering trick. An email, spoofed to look like it had come from recruiting web site Beyond.com, was sent to an employee of RSA's parent company EMC.
The email, found by F-Secure's Timo Hirvonen, was titled '2011 Recruitment plan' and contained one line of content: 'I forward this file to you for review. Please open and view it'. Attached was an Excel spreadsheet.
On opening the attachment, a Flash object was executed by Excel that used the CVE-2011-0609 vulnerability to execute code and drop a backdoor known as Poison Ivy, before closing down Excel.
Poison Ivy then connected back to the attack server, allowing the hacker full remote access to the infected workstation and any network drives.
"The message was sent to one EMC employee and cc'd to three others," said F-Secure chief research officer Mikko Hyppönen in his blog.
"If there's any lesson to be learned it's that the human element is the greatest risk," Graham Cluley, senior technology consultant at security firm Sophos told Computing. "Technology can reduce the risks, but ultimately anyone making a bad decision can be the weak chink in your amour that exposes your internal systems."