As a freelance writer, I spend most of my day working in Microsoft Word. Then, I send drafts to clients and companies across the globe. So, news of the newly discovered Microsoft Office vulnerability made me concerned about the possibility of accidentally spreading malware to my clients. I take extra precautions to ensure that I’m not introducing risk to my clients. Still, using Microsoft Office was something I did many times a day without a second thought.

I brought up the issue to a few of my clients. I was not the only one deciding if their company should abandon Microsoft Office for security reasons. The second question that came up was whether the other alternatives are actually safer. Like many things in business, the decision to use Microsoft Office comes down to a risk-versus-benefits decision.

Zero-Day Follina Vulnerability Spread Through Microsoft Word

At the end of May, UK-based cybersecurity expert and threat researcher Kevin Beaumont discovered Follina. Beaumont wrote that he picked the name because he found the number 0438 in the malicious code. That number is the area code of the Italian town Follina.

With Follina, attackers could take advantage of a vulnerability in Microsoft’s Support Diagnostic Tool to remotely control devices and systems. However, as WIRED explains, the vulnerability spreads through altered Word documents. The attackers use social engineering to get a user to download the infected file and then spread malicious code.

By remotely activating a template, the attackers retrieve an HTML file with malicious code. According to Microsoft, the attacker can then perform actions allowed by the user’s rights. They can install programs, view data, change data, delete data or create new accounts. Beaumont was especially concerned because Microsoft for Endpoints did not detect the malicious code.

Attackers were already exploiting this code ‘in the wild’. Follina is a zero-day vulnerability, meaning that defenders have zero days to find a solution. Beaumont also found evidence that the vulnerability existed in the fall of 2021 and attackers used it in April 2022. Microsoft released a patch on June 14 that fixed the vulnerability.

Other Microsoft Risks

Follina is just the most recent example of vulnerabilities found in Microsoft products.

In 2018, criminals used three different vulnerabilities in Microsoft 365 involving downloading infected Word files to spread the Malware Zyklon. Even at the bargain price of $75, the malware could be used for a wide range of attacks. It can steal credentials, spread malware, mine cryptocurrency and launch distributed denial-of-service attacks.

Attackers also embedded macros in Word docs as a way to spread malware. In the past, they simply had to use a phishing scheme. Because macros were enabled by default, the malicious code would launch when the document opened and would then infect their system. Microsoft made it a little harder by defaulting to macros turned off. Attackers now use scare tactics to get users to turn on the macros, which then launch the malware.

More recently, Microsoft found malicious code spread through Word docs disguised as legal documents. In this case, the vulnerability was one where the document could use a malicious ActiveX control. The number of attacks (in this case, less than 10) was low. Still, it illustrates the potential of a single vulnerability in Microsoft Word.

Why Target Microsoft 365 Products?

Attackers often look for the easiest way to cause the most damage. Microsoft Office documents are the most popular work solution. So, threat actors view Microsoft Office as an easy way to spread malicious code and malware.

With more businesses having turned to Office 365 in recent years, the products are even more attractive. According to Vectra’s Office 365 Security Takeaways E-book, 97% of business decision-makers reported that their organizations extended use of Microsoft 365 as a result of the pandemic. With more people using Microsoft Office products than ever before, Microsoft products are likely to continue to be a popular vehicle for malware and other digital threats.

Office 365 documents, especially .doc and .xlsx files, are used for many different purposes, both work and personal. You may get an Excel file detailing the budget for a nonprofit group, an invoice or even a spouse sending you a draft monthly budget. Word files also run the gamut of uses — flyers for a local play, a letter from a family member or a schedule for an upcoming event.

With all of these different types of documents, it’s relatively easy for attackers to create a social engineering scheme that many people will fall for using Office 365 products. For example, a phishing email with Invoice or Budget as the subject line is generic enough that at least some people may open it, as they may even be expecting someone to send an invoice or a budget.

Should You Stop Using Office 365?

With criminals specifically turning to Microsoft products for their next big attack, many companies wonder if they should find another solution. Yes, there are alternate tools — Google Workspace and Apple iWork — that are not currently as popular with attackers. But is that really the right answer, especially since they will likely be targeted more if organizations make a mass switch?

For many enterprises that use all Microsoft products, switching would not be easy. Their processes and file systems are centered on Office 365, including other products such as Teams and One Drive. It’s very likely that the effort involved in a switch would not be worth the reduced risk, especially since Google and Apple products do not have the same level of productivity and integrated tools like Microsoft.

Improving Organizational Cybersecurity

Instead of switching products, which likely will have minimal positive effects, organizations should focus on reducing risks and vulnerabilities across the board, regardless of the vehicle criminals use to spread malicious files. By instead focusing on employee training and creating a culture of cybersecurity, organizations can reduce the odds that an employee will fall for a phishing scheme.

Organizations are also turning to zero trust, which is a security framework that reduces risk, especially with a remote or hybrid workforce. Many of the techniques that are a part of zero trust reduce either the likelihood or impact of an attack. By using multi-factor authentication, organizations can reduce stolen credential attacks. In addition, micro-segmentation reduces the damage even if an employee downloads a malicious file.

It’s easy to focus on the latest vehicle for attacks. However, threat actors try to stay one step ahead and constantly change their schemes and vehicles. By instead focusing on reducing your overall risk and vulnerability, regardless of the specifics of the attack, your organization can make more progress by improving cybersecurity rather than by switching tools.

More from Application Security

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

Vulnerability management, its impact and threat modeling methodologies

7 min read - Vulnerability management is a security practice designed to avoid events that could potentially harm an organization. It is a regular ongoing process that identifies, assesses, and manages vulnerabilities across all the components of an IT ecosystem. Cybersecurity is one of the major priorities many organizations struggle to stay on top of. There is a huge increase in the number of cyberattacks carried out by cybercriminals to steal valuable information from businesses. Hence to encounter these attacks, organizations are now focusing…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Unmasking hypnotized AI: The hidden risks of large language models

11 min read - The emergence of Large Language Models (LLMs) is redefining how cybersecurity teams and cybercriminals operate. As security teams leverage the capabilities of generative AI to bring more simplicity and speed into their operations, it's important we recognize that cybercriminals are seeking the same benefits. LLMs are a new type of attack surface poised to make certain types of attacks easier, more cost-effective, and even more persistent. In a bid to explore security risks posed by these innovations, we attempted to…