New Exploit Uses Office Documents

A new exploit is using Microsoft Office documents to deliver malware.  This is different from the reanimated macro exploits.  If this exploit, the target will receive an Office document, such as a Word file, as an email attachment.  Opening the attachment causes a malicious HTML application to be downloaded from the attackers C2 server.  This is executed as an .hta file, disguised as an RTF file.  The result is the attacker has complete access to the targeted computer.  Once the malware installation is complete, the victim is show a fake Word document.

All versions of Office including Office 2016 are vulnerable to this exploit.  The exploit takes advantage of Windows Object Lining and Embedding (OLE) functionality.  Opening the attachment often spawns this dialog box.

Microsoft sent out an update on April 11th to address this security vulnerability, so if you are keeping up on Windows updates, you should be fine.  But there are other actions you can take to protect yourself from this exploit, and the variations that are bound to appear later.

  • Do not open attachments unless you have confirmed them with the sender.
  • Better yet, forward the email with the attachment to  Change the subject line to SCAN, and wait for a response from VirusTotal.  The attachment will be scans, and if the attachment contains malware, you will be notified in the scanner results email.  This process takes less than 10 minutes.
  • This particular exploit cannot bypass Office Protected View.  This feature should be enabled if it is not already.  to check if this feature is enabled:
    • Click the File tab in the upper left corner.
    • Select Options.
    • Select Trust Center in the left pane.
    • Click Trust Center Settings.
    • Select Protected View.
    • Make sure all three options under Protected View are checked.
    • If not check them and click OK.

These tips should protect you from this new Office exploit.

More information:


About the Author:

Cybersecurity guru to business owners in the St Paul, Minneapolis, and western Wisconsin area. Computer security and hacking have been a passion of mine since I entered the computer and networking business in 2000. In 2013 I completed a course of study and certification exam to become a Certified Ethical Hacker (CEH). In 2016 I was certified as a Certified Information Systems Security Professional (CISSP). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of computer security, network security, and web site security. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also provide Cybersecurity Awareness Training for clients and their employees. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. The views expressed on this Web site are mine alone and do not necessarily represent the views of my employer.

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.