Hackers have lengthy used Phrase and Excel paperwork as supply automobiles for malware, and in 2025, these tips are removed from outdated. From phishing schemes to zero-click exploits, malicious Workplace recordsdata are nonetheless one of many best methods right into a sufferer’s system.
Listed here are the highest three Microsoft Workplace-based exploits nonetheless making the rounds this 12 months and what you could know to keep away from them.
1. Phishing in MS Workplace: Nonetheless Hackers’ Favourite
Phishing assaults utilizing Microsoft Workplace recordsdata have been round for years, they usually’re nonetheless going sturdy. Why? As a result of they work, particularly in enterprise environments the place groups continually alternate Phrase and Excel paperwork.
Attackers know that persons are used to opening Workplace recordsdata, particularly if they arrive from what seems to be like a colleague, a consumer, or a companion. A pretend bill, a shared report, or a job supply: it does not take a lot to persuade somebody to click on. And as soon as the file is open, the attacker has their probability.
Phishing with Workplace recordsdata usually goals to steal login credentials. These paperwork would possibly embody:
- Hyperlinks to pretend Microsoft 365 login pages
- Phishing portals that mimic firm instruments or providers
- Redirect chains that finally land on credential-harvesting websites
On this ANY.RUN malware evaluation session, an Excel file accommodates malicious phishing hyperlink:
View analysis session with Excel file
 |
| Excel file containing malicious hyperlink detected inside ANY.RUN sandbox |
When clicked, the sufferer is taken to a webpage that exhibits a Cloudflare “Confirm you are a human” verify.
 |
| CloudFlare verification handed with ANY.RUN’s automated interactivity |
After clicking via, there’s one other redirect; this time to a pretend Microsoft login web page.
 |
| Malicious hyperlink to pretend Microsoft login web page with random characters |
At first look, it’d look actual. However contained in the ANY.RUN sandbox, it is simple to identify pink flags. The Microsoft login URL is not official; it is full of random characters and clearly does not belong to Microsoft’s area.
Give your group the correct software to detect, examine, and report threats sooner in a safe surroundings.
Get a trial of ANY.RUN to entry superior malware evaluation
This pretend login web page is the place the sufferer unknowingly palms over their login credentials straight to the attacker.
Attackers are additionally getting extra inventive. These days, some phishing paperwork include QR codes embedded in them. These are supposed to be scanned with a smartphone, sending the sufferer to a phishing web site or triggering a malware obtain. Nevertheless, they are often detected and analyzed with instruments like ANY.RUN sandbox too.
2. CVE-2017-11882: The Equation Editor Exploit That Will not Die
- Assessment how Workplace paperwork are dealt with internally; restrict who can open or obtain recordsdata from outdoors sources.
- Use instruments like ANY.RUN sandbox to examine suspicious recordsdata in a protected, remoted surroundings earlier than anybody in your group opens them.
- Replace all Workplace software program repeatedly and disable legacy options like macros or the Equation Editor the place attainable.
- Keep knowledgeable about new exploit strategies tied to Workplace codecs so your safety group can reply shortly.
- Analyze Android malware in an actual cellular surroundings
- Examine suspicious APK conduct earlier than it hits manufacturing units
- Reply to cellular threats sooner and with extra readability
- Help incident response throughout each desktop and cellular ecosystems
First found in 2017, CVE-2017-11882 continues to be exploited in the present day, in environments operating outdated variations of Microsoft Workplace.
This vulnerability targets the Microsoft Equation Editor – a not often used part that was a part of older Workplace builds. Exploiting it’s dangerously easy: simply opening a malicious Phrase file can set off the exploit. No macros, no additional clicks wanted.
On this case, the attacker makes use of the flaw to obtain and run a malware payload within the background, usually via a distant server connection.
In our evaluation session, the payload delivered was Agent Tesla, a identified info-stealer used to seize keystrokes, credentials, and clipboard knowledge.
View analysis session with malicious payload
 |
| Phishing e-mail containing malicious Excel attachment |
Within the MITRE ATT&CK part of this evaluation, we are able to see how ANY.RUN sandbox detected this particular approach used within the assault:
 |
| Exploitation of Equation Editor detected by ANY.RUN |
Though Microsoft patched the vulnerability years in the past, it is nonetheless helpful for attackers concentrating on methods that have not been up to date. And with macros disabled by default in newer Workplace variations, CVE-2017-11882 has develop into a fallback for cybercriminals who need assured execution.
3. CVE-2022-30190: Follina’s Nonetheless within the Sport
The Follina exploit (CVE-2022-30190) continues to be a favourite amongst attackers for one easy motive: it really works with out macros and does not require any person interplay past opening a Phrase file.
Follina abuses the Microsoft Help Diagnostic Device (MSDT) and particular URLs embedded in Workplace paperwork to execute distant code. Meaning simply viewing the file is sufficient to launch malicious scripts, usually PowerShell-based, that contact a command-and-control server.
View analysis session with Follina
 |
| Follina approach detected inside ANY.RUN sandbox |
In our malware evaluation pattern, the assault went a step additional. We noticed the “stegocampaign” tag, which signifies the usage of steganography – a method the place malware is hidden inside picture recordsdata.
 |
| Use of Steganography within the assault |
The picture is downloaded and processed utilizing PowerShell, extracting the precise payload with out elevating quick alarms.
 |
| Picture with malicious payload analyzed inside ANY.RUN |
To make issues worse, Follina is usually utilized in multi-stage assault chains, combining different vulnerabilities or payloads to extend the impression.
What This Means for Groups Utilizing MS Workplace
In case your group depends closely on Microsoft Workplace for day-to-day work, the assaults talked about above needs to be a wake-up name.
Cybercriminals know Workplace recordsdata are trusted and broadly utilized in enterprise. That is why they proceed to take advantage of them. Whether or not it is a easy Excel sheet hiding a phishing hyperlink or a Phrase doc silently operating malicious code, these recordsdata can pose critical dangers to your group’s safety.
This is what your group can do:
Analyze Cellular Malware with ANY.RUN’s New Android OS Help
The menace does not cease at Workplace recordsdata. Cellular units are actually a key goal, and attackers are spreading malware via pretend apps, phishing hyperlinks, and malicious APKs.
This implies a rising assault floor for companies and the necessity for broader visibility.
With ANY.RUN’s new Android OS help, your safety group can now:
It is a large step towards full protection and it is out there on all plans, together with free.
Start your first Android threat analysis today and provides your safety analysts the visibility they should shield your cellular assault floor.
Source link