27 Apr Employees Falling for New Microsoft Word Malware
There’s been a lot of news recently about cybercriminals exploiting a security weakness found in every version of Microsoft Word. This attack is particularly menacing because it does not require macros to be enabled—and it’s very easy for employees to become infected.
In this new attack against Microsoft Word, a malicious object is embedded within an OLE2Link. When unsuspecting users open the document, Word follows the link and retrieves malware from a remote server and automatically executes it.
Windows Object Linking and Embedding (OLE) is a Microsoft technology used by Office products such as Word. It allows users to link or embed one object within another. For example, document (a) can be linked within document (b). When document (a) is modified, the changes will automatically appear within document (b). The attack exploits a vulnerability that’s present in this OLE technology, and unfortunately, exists in every version of Microsoft Word (and perhaps other Office products).
Unlike most other Word exploits that depend on macros, this particular attack does not utilize them. Many users, believing that it’s safe to open new or unknown Word documents because they have macros disabled, fall prey to this insidious new attack.
To make matters more challenging, cybercriminals are very aggressive in their attempts to infect employee machines with this new approach. Phishing appears to be the primary distribution method at this time.
A case in point—earlier this week I received an email at work from what appeared to be Delta Airlines. The subject was “Your itinerary”. Although I hadn’t recently purchased a flight with Delta, my wife had done so the day before. Knowing that her practice is to send me a copy of her travel plans, I assumed that this email was exactly that. I opened it, and almost clicked on the attachment to review her schedule. But I noticed it was a Word document and I thought that was odd. Normally, that type of data would be embedded within the email itself, or perhaps in a .PDF document—not placed in a word document. So, I had it evaluated, and sure enough-it contained an OLE link to a remote server and a malicious document.
I was fortunate. I noticed something odd and didn’t open the document, but becoming a victim would have been very easy.
Bottom line? This new threat reinforces how easy it is for insiders or employees to become victims of cyberattack. Organizations need to constantly remind their users to be careful, and have analytics in place that will detect employee machines and accounts that have been compromised and used for inside attacks.