September 22, 2022 By Jennifer Gregory 4 min read

As a freelance writer, I spend most of my day working in Microsoft Word. Then, I send drafts to clients and companies across the globe. So, news of the newly discovered Microsoft Office vulnerability made me concerned about the possibility of accidentally spreading malware to my clients. I take extra precautions to ensure that I’m not introducing risk to my clients. Still, using Microsoft Office was something I did many times a day without a second thought.

I brought up the issue to a few of my clients. I was not the only one deciding if their company should abandon Microsoft Office for security reasons. The second question that came up was whether the other alternatives are actually safer. Like many things in business, the decision to use Microsoft Office comes down to a risk-versus-benefits decision.

Zero-day Follina vulnerability spread through Microsoft Word

At the end of May, UK-based cybersecurity expert and threat researcher Kevin Beaumont discovered Follina. Beaumont wrote that he picked the name because he found the number 0438 in the malicious code. That number is the area code of the Italian town Follina.

With Follina, attackers could take advantage of a vulnerability in Microsoft’s Support Diagnostic Tool to remotely control devices and systems. However, as WIRED explains, the vulnerability spreads through altered Word documents. The attackers use social engineering to get a user to download the infected file and then spread malicious code.

By remotely activating a template, the attackers retrieve an HTML file with malicious code. According to Microsoft, the attacker can then perform actions allowed by the user’s rights. They can install programs, view data, change data, delete data or create new accounts. Beaumont was especially concerned because Microsoft for Endpoints did not detect the malicious code.

Attackers were already exploiting this code ‘in the wild’. Follina is a zero-day vulnerability, meaning that defenders have zero days to find a solution. Beaumont also found evidence that the vulnerability existed in the fall of 2021 and attackers used it in April 2022. Microsoft released a patch on June 14 that fixed the vulnerability.

Other Microsoft risks

Follina is just the most recent example of vulnerabilities found in Microsoft products.

In 2018, criminals used three different vulnerabilities in Microsoft 365 involving downloading infected Word files to spread the Malware Zyklon. Even at the bargain price of $75, the malware could be used for a wide range of attacks. It can steal credentials, spread malware, mine cryptocurrency and launch distributed denial-of-service attacks.

Attackers also embedded macros in Word docs as a way to spread malware. In the past, they simply had to use a phishing scheme. Because macros were enabled by default, the malicious code would launch when the document opened and would then infect their system. Microsoft made it a little harder by defaulting to macros turned off. Attackers now use scare tactics to get users to turn on the macros, which then launch the malware.

More recently, Microsoft found malicious code spread through Word docs disguised as legal documents. In this case, the vulnerability was one where the document could use a malicious ActiveX control. The number of attacks (in this case, less than 10) was low. Still, it illustrates the potential of a single vulnerability in Microsoft Word.

Why target Microsoft 365 products?

Attackers often look for the easiest way to cause the most damage. Microsoft Office documents are the most popular work solution. So, threat actors view Microsoft Office as an easy way to spread malicious code and malware.

With more businesses having turned to Office 365 in recent years, the products are even more attractive. According to Vectra’s Office 365 Security Takeaways E-book, 97% of business decision-makers reported that their organizations extended use of Microsoft 365 as a result of the pandemic. With more people using Microsoft Office products than ever before, Microsoft products are likely to continue to be a popular vehicle for malware and other digital threats.

Office 365 documents, especially .doc and .xlsx files, are used for many different purposes, both work and personal. You may get an Excel file detailing the budget for a nonprofit group, an invoice or even a spouse sending you a draft monthly budget. Word files also run the gamut of uses — flyers for a local play, a letter from a family member or a schedule for an upcoming event.

With all of these different types of documents, it’s relatively easy for attackers to create a social engineering scheme that many people will fall for using Office 365 products. For example, a phishing email with Invoice or Budget as the subject line is generic enough that at least some people may open it, as they may even be expecting someone to send an invoice or a budget.

Should you stop using Office 365?

With criminals specifically turning to Microsoft products for their next big attack, many companies wonder if they should find another solution. Yes, there are alternate tools — Google Workspace and Apple iWork — that are not currently as popular with attackers. But is that really the right answer, especially since they will likely be targeted more if organizations make a mass switch?

For many enterprises that use all Microsoft products, switching would not be easy. Their processes and file systems are centered on Office 365, including other products such as Teams and One Drive. It’s very likely that the effort involved in a switch would not be worth the reduced risk, especially since Google and Apple products do not have the same level of productivity and integrated tools like Microsoft.

Improving organizational cybersecurity

Instead of switching products, which likely will have minimal positive effects, organizations should focus on reducing risks and vulnerabilities across the board, regardless of the vehicle criminals use to spread malicious files. By instead focusing on employee training and creating a culture of cybersecurity, organizations can reduce the odds that an employee will fall for a phishing scheme.

Organizations are also turning to zero trust, which is a security framework that reduces risk, especially with a remote or hybrid workforce. Many of the techniques that are a part of zero trust reduce either the likelihood or impact of an attack. By using multi-factor authentication, organizations can reduce stolen credential attacks. In addition, micro-segmentation reduces the damage even if an employee downloads a malicious file.

It’s easy to focus on the latest vehicle for attacks. However, threat actors try to stay one step ahead and constantly change their schemes and vehicles. By instead focusing on reducing your overall risk and vulnerability, regardless of the specifics of the attack, your organization can make more progress by improving cybersecurity rather than by switching tools.

More from Application Security

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Audio-jacking: Using generative AI to distort live audio transactions

7 min read - The rise of generative AI, including text-to-image, text-to-speech and large language models (LLMs), has significantly changed our work and personal lives. While these advancements offer many benefits, they have also presented new challenges and risks. Specifically, there has been an increase in threat actors who attempt to exploit large language models to create phishing emails and use generative AI, like fake voices, to scam people. We recently published research showcasing how adversaries could hypnotize LLMs to serve nefarious purposes simply…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today