[MART] - Daily Diary #334 - Using Microsoft Office Documents as an Infection Vector

CTAS-MAT ctas-mat at appgate.com
Wed Aug 25 22:12:21 UTC 2021


Hello,
I hope everyone is doing well!

Below is the entry for today.

08/25/2021 - Diary entry #334

Today we are going to talk about Microsoft Office documents as an infection vector. It's not uncommon to receive spam messages with Office documents attached. Word documents, PowerPoints, Spreadsheets, all the common file formats can be used to deliver a phishing link or a malware.

Since MS Office 97, that introduced the macro programing language Visual Basic for Applications (or VBA), attackers have found creative ways to abuse it and execute malicious commands in users' machines. With the evolution of MS Office, new vulnerabilities have been found and fixed. As it's a very popular tool, attackers and researchers are constantly trying to find new vulnerabilities that can be exploited.

The problem with MS Office is that it's very common to find users with an older version (and therefore vulnerable) installed. Even nowadays CVE-2017-11882, a memory corruption issue in MS Office that affected multiple versions from MS Office 2007 to MS Office 2013, is still heavily used by families like Agent Tesla (covered in our Daily Diary #92), LokiBot, and many others. That shows how common it is for users to have very old versions of MS Office installed.

Companies should be aware that using old versions of MS Office is a huge security risk, and they should train employees to never open this kind of attachments in e-mails from unknown senders. One option that many institutions adopted nowadays is to use Office365, the cloud-version of the suite. Using Office365 mitigates most risks involved macros and memory corruption vulnerabilities, but documents can still be used as part of a social engineering attack, convincing users to access a malicious link or download an attachment.

Kind Regards,


[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>



Felipe Duarte Domingues
Security Researcher
Appgate

E: felipe.duarte at appgate.com<mailto:felipe.duarte at appgate.com>
O: +55 19 98840 2509

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.immunityinc.com/pipermail/mart/attachments/20210825/3076d5bc/attachment.htm>


More information about the MART mailing list