Understanding the threats lurking in Microsoft Office documents

Microsoft Office stands as a pillar in the landscape of modern productivity tools. Its suite of programs -- from Word for crafting documents to Excel for data analysis - allows for versatility in both personal and professional environments. Used from everything like notetaking, resumes, essays, and business reports, in today’s digital age, these documents are indispensable and trusted tools.

This versatility, however, presents a double-edged sword. While they enhance efficiency and functionality, they simultaneously create potential security risks. This duality makes Microsoft Office documents an attractive target for threat actors, who exploit their widespread use and familiar interface to deliver phishing and malware with alarming ease.

SEE ALSO: Resurrecting Internet Explorer -- the nasty threat impacting potentially millions of Windows 10 and 11 users

Attackers leverage the familiarity of Microsoft Office documents to carry out these attacks. Given their common presence in professional and personal communication, Office documents are seen as inherently trustworthy by many users. Cybercriminals exploit this trust by sharing malicious documents via email or sharing links in cloud storage. To further enhance the legitimacy of their campaigns, threat actors will spoof well-known brands and themes, increasing the likelihood that recipients will open the document and interact with the malicious content.

Embedding Simple Links and QR Codes

Microsoft Office documents can deliver both complex malware distribution tools and simple links or QR codes embedded into the document. Embedding links in documents often lead to credential phishing sites designed to steal sensitive information or trigger the download of malware.

A notable example of leveraging embedded links is the DarkGate campaign, where an Excel attachment contained a malicious link designed to compromise systems upon interaction. DarkGate, first seen in 2018, is known for its capabilities in cryptocurrency mining, credential theft, ransomware, and remote access. By tailoring this campaign with more creativity, DarkGate attackers attempted to hide the embedded link within more personalized and elaborate emails, attempting to increase the likelihood of user interaction.

QR codes embedded in documents also provide another simple yet effective threat vector for attackers. Unlike embedded links, QR codes require users to make an effort to interact with them using their smartphone, adding a layer of obfuscation that can make detection by automated security systems more challenging. According to Cofense, in 2023, there was a 331 percent increase in active threat reports involving QR codes. The use of QR codes to bypass Secure Email Gateways (SEGs) has exponentially increased, highlighting the growing danger and widespread use of these threats.

Versatility of Microsoft Office Document Threats

Aside from the malicious QR code campaigns, threat actors are able to utilize Microsoft Office documents to carry out more complex threats. Office Macros, initially designed to automate repetitive tasks and enhance productivity, have become both a powerful tool and a significant security risk. These small programs, written in the programming language, Visual Basic for Applications (VBA), can perform complex functions within the Office documents. However, their potential for automation has also made them favorable for cybercriminals.

Attackers embed malicious macros in documents, which execute automatically upon opening, often without the user’s explicit consent. This method has been widely exploited, with groups like Emotet using these tactics to distribute malware in high-volume. While the use of macro-based attacks has waned somewhat due to Microsoft’s security updates blocking automatic macro execution, they require the least amount of user effort to execute and thus remain significant.

Other complex threats include vulnerabilities such as the Microsoft Office Memory Corruption Vulnerability (CVE-2017-11882) and the Microsoft Office/WordPad Remote Code Execution Vulnerability (CVE-2017-0199) which are often paired together to deliver complex malware distribution tools. Using the CVE-2017-11882 exploit, threat actors inject malicious code into documents which execute upon opening.

The fact that older versions of Office are vulnerable to these CVEs makes them a popular delivery mechanism among threat actors. The availability of open-source tools that automate the creation of Office documents with these vulnerabilities, easily found online, further exacerbates their popularity.

The versatility of Microsoft Office documents makes them a dangerous threat to organizations. It is crucial for businesses to recognize these threats and understand the common distribution vectors to effectively protect against them. By understanding how these threats operate, companies can proactively safeguard their systems.

Knowledge of these threats is only one part of the defense strategy. Equally critical is the empowerment of employees through comprehensive training to recognize and report any potential phishing attempts. It only takes one employee to click on an embedded link or QR code to steal credentials or deploy malware. Educating employees becomes an indispensable component of an organization’s security defenses. By instilling a culture of vigilance and awareness, organizations can better protect themselves against the looming threats in Microsoft Office documents.

Image Credit: Dennizn / Dreamstime.com

Max Gannon is Cyber Intelligence Manager at Cofense.