Hackers weaponizing Microsoft 365 Office documents to deploy malware and other attacks

Recent reports have revealed that hackers are actively weaponizing Microsoft 365 Office documents to deploy malware in business environments. This tactic, which exploits the widespread use of Microsoft Office applications, involves embedding malicious code within Office files that can be executed when the document is opened. This article delves into the methods used by cybercriminals, the vulnerabilities they exploit, and the measures businesses can take to protect themselves.

Microsoft 365 Office documents hacked

Microsoft 365 Office documents have long been a favored attack method for cybercriminals due to their ubiquity in business operations. From generating professional reports to preparing CVs and performing data analysis, Office applications like Word, Excel, and PowerPoint are integral to daily workflows. However, the same features that make these tools versatile—such as macros and scripting capabilities—also make them susceptible to exploitation.

Malware methods used

Cybersecurity researchers at COFENSE have identified several methods by which hackers embed malicious code into Microsoft 365 Office documents. These methods include:

• Malicious macros: Embedded in the Visual Basic for Applications (VBA) code, these macros can execute automatically when the document is opened. Despite Microsoft’s efforts to restrict unauthorized macros, many users still bypass these warnings, allowing the malware to run.
• Embedded links and QR codes: Simple links and QR codes within documents can serve as attack vectors. These elements can exploit vulnerabilities such as CVE-2017-11882 and CVE-2017-0199 to execute malicious code.
• OLE exploits: Object Linking and Embedding (OLE) allows Office documents to link to external files. Hackers can exploit this feature to download and execute malicious applications from remote servers.
• Zero-day vulnerabilities: Zero-day vulnerabilities, which are unknown to the vendor and exploited before a fix is available, pose a significant threat. For instance, a recently discovered zero-day vulnerability in Microsoft Word allows malware to be installed surreptitiously, even on protected systems.

Malware Examples

Several high-profile malware campaigns have leveraged these techniques:

1. Trickbot: This malware family often begins its infection with a Word document containing VBA code. Once the user enables macros, the VBA module downloads the payload and establishes persistence on the system.
2. Follina: This campaign exploits a bug in the Microsoft Support Diagnostic Tool (MSDT) to execute PowerShell commands. The attack is initiated by an HTML file embedded within an Office document, which calls MSDT and executes the malicious code.
3. LokiBot: Known for stealing sensitive information, LokiBot uses remote code execution vulnerabilities in Word documents to download and execute its payload. The malware employs evasion techniques to avoid detection and analysis.

Strategies to avoid this malware

To protect against these threats, businesses must implement robust cybersecurity measures:

1. Disable macros by default: Ensure that macros are disabled by default in Office applications. Educate users about the risks of enabling macros and encourage them to only enable macros from trusted sources.
2. Regular software updates: Keep all software, including Microsoft Office, up to date with the latest security patches. This helps mitigate the risk of zero-day vulnerabilities being exploited.
3. Advanced email security: Implement advanced email security solutions to detect and block malicious attachments. Tools like Microsoft Defender for Office 365 can provide additional layers of protection.
4. User education and training: Conduct regular training sessions to educate employees about phishing attacks and the importance of not opening suspicious attachments or clicking on unknown links.
5. Endpoint protection: Deploy endpoint detection and response (EDR) solutions to monitor and respond to suspicious activities on endpoints. These tools can help detect and mitigate malware infections before they cause significant damage.

The weaponization of Microsoft 365 Office documents by hackers underscores the need for heightened vigilance and robust cybersecurity practices. By understanding the methods used by cybercriminals and implementing comprehensive security measures, businesses can better protect themselves against these sophisticated attacks. Staying informed about the latest threats and continuously updating security protocols are essential steps in safeguarding your Windows PC.