Full Report
Hackers have long used Word and Excel documents as delivery vehicles for malware, and in 2025, these tricks are far from outdated. From phishing schemes to zero-click exploits, malicious Office files are still one of the easiest ways into a victim’s system. Here are the top three Microsoft Office-based exploits still making the rounds this year and what you need to know to avoid them. 1.
Analysis Summary
# Tool/Technique: Phishing via Malicious MS Office Documents (General)
## Overview
This entry summarizes the general technique of employing seemingly legitimate Microsoft Word and Excel documents to deliver malware or steal credentials through phishing, QR codes, or direct exploitation of file content and features.
## Technical Details
- Type: Technique
- Platform: Microsoft Office (Word, Excel) on Windows
- Capabilities: Delivery of phishing links, credential harvesting, execution of payloads via embedded objects or code, utilization of QR codes for mobile redirection.
- First Seen: Ongoing threat (Specific exploits evolve, but the technique is long-standing)
## MITRE ATT&CK Mapping
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment
- T1566.002 - Spearphishing Link
- T1204 - User Execution
- T1204.002 - Malicious File
## Functionality
### Core Capabilities
- **Credential Harvesting:** Embedding links pointing to fake Microsoft 365 login pages or mimicking company services to capture user credentials.
- **User Deception (Social Engineering):** Using documents disguised as invoices, reports, or job offers to trick users into interacting with malicious content.
- **QR Code Delivery:** Embedding malicious QR codes intended to be scanned by smartphones, leading them to phishing websites or malware downloads.
### Advanced Features
- **Redirect Chains:** Deploying complex chains of redirects to obscure the final malicious destination, sometimes bypassing basic checks until the user reaches the credential harvesting site.
- **Bypassing Initial Security:** Exploiting the user's trust in routine document exchange to pass initial email gateway scrutiny.
## Indicators of Compromise
- File Hashes: N/A (Varies per campaign)
- File Names: Fake invoices, shared reports, job offers (Contextual)
- Registry Keys: N/A
- Network Indicators: URLs spoofing Microsoft 365 login pages; domains loaded via Cloudflare verification checks (defanged example: `fake-login-site[.]com`).
- Behavioral Indicators: User opening an Office document followed by rapid navigation to an external, unrecognized URL, or prompts for credentials outside of native Office functionality.
## Associated Threat Actors
- Various threat actors, frequently employed in financially motivated attacks and initial access campaigns. (Not specified who uses the generic phishing method, but often leveraged by established cybercriminal organizations).
## Detection Methods
- Signature-based detection: Signatures for known phishing domains and login spoofing pages.
- Behavioral detection: Monitoring document execution that immediately spawns network connections to non-standard URLs or initiates browser processes for credential entry.
- YARA rules: Rules targeting specific VBA/macro structures (though this general technique often relies on non-macro methods). Sandboxing tools like ANY.RUN can actively trace redirects.
## Mitigation Strategies
- Prevention measures: Implementing DMARC/SPF/DKIM rules; enforcing Multi-Factor Authentication (MFA) to negate credential theft impact.
- Hardening recommendations: Training users to scrutinize sender details and URLs embedded in documents; disabling external macro execution by default; using modern Office versions with enhanced security.
## Related Tools/Techniques
- CVE-2017-11882 (Equation Editor Exploit)
- CVE-2022-30190 (Follina Exploit)
***
# Tool/Technique: CVE-2017-11882 (Microsoft Equation Editor Vulnerability)
## Overview
This vulnerability targets the Microsoft Equation Editor component found in older, unpatched versions of Microsoft Office. Exploitation occurs simply by opening a malicious Office document, allowing the attacker to download and execute a secondary malware payload without requiring macros or further user interaction.
## Technical Details
- Type: Exploit (Zero-Day/N-Day)
- Platform: Older, unpatched versions of Microsoft Office (Windows)
- Capabilities: Arbitrary code execution upon file opening, leading to malware payload download and execution from a remote server.
- First Seen: 2017
## MITRE ATT&CK Mapping
- T1204 - User Execution
- T1204.002 - Malicious File
- T1059 - Command and Scripting Interpreter
- T1059.003 - Windows Command Shell
- T1105 - Ingress Tool Transfer
## Functionality
### Core Capabilities
- **Zero-Click Execution:** Exploits flaws in how the Equation Editor processes specially crafted input within office documents.
- **Payload Delivery:** Used as a reliable execution vector to pull down primary malware payloads.
### Advanced Features
- **Macro-less Execution:** Provides a significant advantage for bypassing modern security controls that heavily scrutinize or block VBA macros.
## Indicators of Compromise
- File Hashes: (Not provided in context)
- File Names: Malicious Word documents specifically crafted to trigger the Equation Editor flaw.
- Registry Keys: N/A
- Network Indicators: Connections made to remote servers for downloading subsequent malware payloads (e.g., Agent Tesla).
- Behavioral Indicators: Office process spawning outbound connections to download executables or scripts, often bypassing initial monitoring due to the exploit chain starting outside typical macro execution paths.
## Associated Threat Actors
- Adversaries targeting environments with poor patch management hygiene. (The article specifically links this to an instance delivering Agent Tesla).
## Detection Methods
- Signature-based detection: Signatures for the specific exploit payload or configuration within the Office file structure.
- Behavioral detection: Detection of the Equation Editor process exhibiting unusual behavior, specifically initiating network connections or file writes indicative of payload retrieval.
- YARA rules: Rules targeting the known exploit structure within RTF/DOCX files.
## Mitigation Strategies
- Prevention measures: Immediately updating Microsoft Office to the latest patched version.
- Hardening recommendations: Disabling or removing outdated components like the Microsoft Equation Editor if possible in legacy environments, though patching remains the primary defense.
## Related Tools/Techniques
- Agent Tesla (Observed payload)
***
# Tool/Technique: CVE-2022-30190 (Follina Exploit)
## Overview
The Follina exploit abuses the Microsoft Support Diagnostic Tool (MSDT) via specially crafted URLs embedded within Office documents. Similar to CVE-2017-11882, it achieves remote code execution without requiring macros, necessitating only that the user opens the document.
## Technical Details
- Type: Exploit (N-Day)
- Platform: Microsoft Office on Windows (Requires MSDT to be present)
- Capabilities: Remote Code Execution (RCE) via MSDT URI handlers, leading to the execution of PowerShell scripts that contact a Command and Control (C2) server. The attack observed also utilized steganography for advanced payload hiding.
- First Seen: 2022
## MITRE ATT&CK Mapping
- T1204 - User Execution
- T1204.002 - Malicious File
- T1059 - Command and Scripting Interpreter
- T1059.001 - PowerShell
- T1027 - Obfuscated Files or Information
- T1027.003 - Steganography (As observed in the sample)
## Functionality
### Core Capabilities
- **MSDT Abuse:** Exploits the URI features used by MSDT to pull down and execute malicious content referenced in the document.
- **PowerShell Execution:** Remote code execution typically results in the launch of PowerShell scripts for subsequent malicious activity.
- **Multi-stage Chains:** Often used as an initial vector combined with other vulnerabilities or payloads for comprehensive attack impact.
### Advanced Features
- **Steganography ("stegocampaign"):** The sample demonstrated embedding the secondary payload within an image file, which is then downloaded and processed by the execution chain to hide the true malware artifact.
## Indicators of Compromise
- File Hashes: (Not provided in context)
- File Names: Malicious Word documents leveraging specific MSDT URIs.
- Registry Keys: N/A
- Network Indicators: PowerShell running and connecting to C2 infrastructure.
- Behavioral Indicators: Office document opening leading directly to the execution of MSDT processes, which subsequently launch PowerShell or download external content.
## Associated Threat Actors
- Adversaries utilizing advanced evasion techniques (e.g., those associated with "stegocampaigns").
## Detection Methods
- Signature-based detection: Signatures for known Follina exploit URLs/payloads.
- Behavioral detection: Monitoring for the `msdt.exe` process being spawned by an Office application (Word/Excel) and initiating external network traffic or file manipulation.
- YARA rules: Rules focused on identifying the specific malicious URIs embedded in documents.
## Mitigation Strategies
- Prevention measures: Applying the Microsoft patch for CVE-2022-30190.
- Hardening recommendations: Restricting execution context for MSDT or implementing application control to prevent abuse.
## Related Tools/Techniques
- PowerShell
- Steganography
***
# Tool/Technique: Agent Tesla
## Overview
Agent Tesla is a known Information Stealer (Infostealer) malware, observed being delivered as the payload following the exploitation of CVE-2017-11882. Its primary purpose is to maintain persistence and exfiltrate sensitive data.
## Technical Details
- Type: Malware Family (Infostealer)
- Platform: Windows (Implied by delivery mechanisms)
- Capabilities: Capturing keystrokes, stealing system credentials, and harvesting clipboard data for exfiltration.
- First Seen: (Not specified, but a well-established infostealer)
## MITRE ATT&CK Mapping
- T1056 - Input Capture
- T1056.001 - Keylogging
- T1003 - OS Credential Dumping
- T1567 - Exfiltration Over Alternative Protocol (Implied)
## Functionality
### Core Capabilities
- Keystroke logging.
- Credential theft from local applications and browsers.
- Clipboard monitoring.
### Advanced Features
- Exfiltration of captured data to the attacker's C2 infrastructure.
## Indicators of Compromise
- File Hashes: (Not provided in context)
- File Names: Varies depending on delivery; the analysis showed it being downloaded post-exploit.
- Registry Keys: N/A (Likely persistence mechanisms if established)
- Network Indicators: Outbound connections used for data exfiltration attempts.
- Behavioral Indicators: High volumes of data transfer originating from an unapproved process, system processes attempting to read credential stores.
## Associated Threat Actors
- Cybercriminals focused on espionage or financially motivated data theft.
## Detection Methods
- Signature-based detection: Signatures targeting known Agent Tesla binaries.
- Behavioral detection: Monitoring for processes accessing sensitive memory regions or keyboard hardware/APIs for keylogging purposes, or unusual data writes to temporary files before exfiltration.
## Mitigation Strategies
- Prevention measures: Deploying Endpoint Detection and Response (EDR) solutions capable of detecting credential scraping API calls.
- Hardening recommendations: Restricting outbound network traffic from non-browser/email processes; rigorous patching against initial access vectors like CVE-2017-11882.
## Related Tools/Techniques
- CVE-2017-11882 (Delivery mechanism)