Research Report - 2 .................................
Office documents, like Excel spreadsheets, may contain pseudoexecutable code, in the form of a Microsoft Office “macro,” or it may carry an exploit against one or more known security vulnerabilities that affect Excel. A research study by Sophos titled SophoLabs 2019 Threat Report, reveal that while Office documents have been at the center of attacks for several years, most of them require the user to activate the macro scripting code embedded in the documents. Attackers spent a considerable amount of effort to craft and refine documents that prompt victims to take specific steps to disable protections designed to thwart malicious macro scripts, finds the study, which also points out that even though the Office suite throws several cautionary prompts in the user’s path, people can still be convinced to enable scripting or turn off `preview mode’ for Office documents that originated in an internet download or an email attachment.
Says the study: “Some organizations or environments have been forced to use Group Policy objects to completely disable the macro scripting components within the Office suite and to render the settings not modifiable by users in order to prevent accidental or prompted execution of malicious macro scripts. But even that is not
enough to guarantee that Office documents are rendered inert.”
It cautions that criminals use special tools, called Builders, which know how to write the hostile exploit code or macro into the document file. In the past 12 months, Builder makers have made a shift away from older exploits, some of which had been in use for many years.
The report maintains that attackers have ramped up their use of novel exploits against weaknesses in Excel and other Office applications to deliver a broad range of malware types, such as ransomware or keyloggers. “A class of vulnerabilities in the Equation Editor, a component of Excel installed by default, can be invoked just by opening a spreadsheet, and subject you to an infection. There’s no macro scripting that needs to be enabled; The attack is already underway and finished often in less time than it took you to read this sentence,” the study emphasizes.
It also says Microsoft was aware of these vulnerabilities and published updates in mid-2017 to various Office suite products to prevent their exploitation, but not everyone gets every update, and even if they do, some organizations delay the deployment of updates in order to perform tests.