US-CERT has seen reports of an email attack targeting Microsoft's April Security Bulletin release cycle. This attack arrives via email messages with the subject line "Critical Patch Released: Microsoft Security Bulletin MS08-64738." These email messages contain a link to a fraudulent Microsoft Update web site that hosts malicious code or contains an attachment that is embedded with malicious code. Users who follow the link or open the attachment may become infected with a Trojan.

US-CERT encourages users to do the following to help mitigate the risks:

• Install anti-virus software and keep its virus signature files up to date.
• Do not follow unsolicited web links received in email messages.
• Verify web sites recommended in email by manually typing their URLs. Do not link directly to web sites recommended in an email.
  
• Refer to the Avoiding Social Engineering and Phishing Attacks document for more information on social engineering attacks.
• Follow the guidance provided in the Recognize and avoid fraudulent e-mail to Microsoft customers document from Microsoft.