Employees Falling for New Microsoft Word Malware

27 Apr Employees Falling for New Microsoft Word Malware


There’s been a lot of news recently about cybercriminals exploiting a security weakness found in every version of Microsoft Word. This attack is particularly menacing because it does not require macros to be enabled—and it’s very easy for employees to become infected.

In this new attack against Microsoft Word, a malicious object is embedded within an OLE2Link. When unsuspecting users open the document, Word follows the link and retrieves malware from a remote server and automatically executes it.

Windows Object Linking and Embedding (OLE) is a Microsoft technology used by Office products such as Word. It allows users to link or embed one object within another. For example, document (a) can be linked within document (b). When document (a) is modified, the changes will automatically appear within document (b). The attack exploits a vulnerability that’s present in this OLE technology, and unfortunately, exists in every version of Microsoft Word (and perhaps other Office products).

Unlike most other Word exploits that depend on macros, this particular attack does not utilize them. Many users, believing that it’s safe to open new or unknown Word documents because they have macros disabled, fall prey to this insidious new attack.

To make matters more challenging, cybercriminals are very aggressive in their attempts to infect employee machines with this new approach. Phishing appears to be the primary distribution method at this time.

A case in point—earlier this week I received an email at work from what appeared to be Delta Airlines. The subject was “Your itinerary”.  Although I hadn’t recently purchased a flight with Delta, my wife had done so the day before. Knowing that her practice is to send me a copy of her travel plans, I assumed that this email was exactly that. I opened it, and almost clicked on the attachment to review her schedule. But I noticed it was a Word document and I thought that was odd.  Normally, that type of data would be embedded within the email itself, or perhaps in a .PDF document—not placed in a word document.  So, I had it evaluated, and sure enough-it contained an OLE link to a remote server and a malicious document.

I was fortunate. I noticed something odd and didn’t open the document, but becoming a victim would have been very easy.

Bottom line? This new threat reinforces how easy it is for insiders or employees to become victims of cyberattack. Organizations need to constantly remind their users to be careful, and have analytics in place that will detect employee machines and accounts that have been compromised and used for inside attacks.

Bill Bosen
Bill has over 25 years of experience in the IT computer security
industry, serving in technical and senior management positions.
He has designed and implemented extensive security systems
used by millions of people at Sony, Boeing, Citigroup, American
Express, Oracle, Ericsson, Alcatel, Cisco Systems, and many

Bill is a prolific writer and has authored numerous white papers,
articles, and blogs within the security industry. He has extensive
experience in numerous IT security disciplines, including
security market research, technology evaluations, strategic
design, coding, business development, implementation, go to
market strategies, marketing / sales collateral, and

Bill has also created and maintains a comprehensive database
of computer security companies, products, and technologies.

Bill was VP of Engineering and VP of Product Management at
Secure Computing Corporation (now part of Intel) for many
years. He also served as VP of Engineering at Enigma Logic.
As a consultant, Bill has done extensive work with numerous
security companies, including CheckPoint, McAfee, General
Dynamics, Shavlik/VMWare, Samsung, ThreatMetrix, SINET,
and many others.

Bill has a Computer Science degree earned from his studies at
Snow College, Utah Valley University (Utah Technical College),
and Brigham Young University.

(Visited 103 times, 1 visits today)