One of Microsoft’s most popular products (at least in terms of revenues) is the Office suite, with the famous Word, Excel, Outlook and PowerPoint. In fact, the hegemony of the productivity software is not just limited to Windows PCs but also expands onto Macs, despite attempts from Apple at making their own version.
The simplicity, look and feel of Office are perhaps some of the reasons behind its success both on the consumer and enterprise sides. Unfortunately, any mass market usage also attracts the attention of crooks and other ill-intentioned individuals.
Office has been heavily targeted to distribute a sizeable portion of the malware we encounter these days, including ransomware and banking trojans. Massive spam campaigns are flooding inboxes worldwide with fake invoices, resumes or any other disguises threat actors can easily craft. Those are typically Word or Excel documents laced with macros – these automated instructions that can move cells around, format them and do other usually benign and nifty things. But the same macro functionality can be used for nefarious purposes too and all it takes is to trick someone into enabling them.
It seems strange that even in 2017, users are still getting infected via low-tech Office macros, but the fact of the matter is that this is a proven and reliable technique so long as users can be duped into clicking on things. And macros aren’t the only problem here. Attackers can embed other types of objects within the same Office documents, which can trigger a malicious payload – once again – typically when tricked into double clicking on a picture or some icon used as bait.
Just like any other piece of software, Office is not immune to security bugs that can be exploited without requiring any user interaction (unlike the aforementioned macros that still need some user participation). In recent times, unpatched vulnerabilities also known as zero-days, have been used in diverse campaigns to distribute malware. Simply open up a booby-trapped document and you are immediately infected with malware.
Regular patching can usually take care of most exploit driven malicious spam, but zero-days are a threat to account for and take mitigation steps against. Similarly to web exploits, there are a number of ‘Office kits’ that allow attackers to craft malicious documents with specific vulnerabilities. This makes it easier for criminals to weaponize Office vulnerabilities and quickly distribute their creations via spam campaigns.
The challenge for IT professionals is twofold: preventing malicious documents from ever entering the network perimeter and dealing with users that will always be fallible to social engineering. One common thought is that educating users against email borne threats will reduce the number of successful attacks. There is value in doing drills but not as much as one would think, and this has led some administrators to take more drastic measures through group policies for example, that disable certain risky features that could be abused when users are tricked to perform malicious actions.
The threat landscape is in constant evolution, with old techniques coming back into life and a constant flow of new vulnerabilities that can be added to the attackers’ arsenal. Right now, Office is in the line of fire and defenders must be sure to dedicate their time and attention to this significant threat.