Updated October 2017 with new information
Update 19 October 2017: we are now seeing malware using a DDE “exploit or “feature” in Microsoft office files. This attack method is explained here. It is trivially simple to protect yourself from these “exploits” by turning off linked files update in Word settings
Update 27 September 2016: Today we started to see the use of a “new” technique with malicious office files. These files still contain macros. The Dridex gang have started to send passworded office files via email. The email body contains the password for the attached document, which is different in every example. The document is passworded to prevent it being opened or read without the password.This has a 2 fold advantage to the bad guys. 1. it bypasses most company filters who routinely scan for macros in documents, but wouldn’t normally scan for a password, which is routinely used by many companies sending word docs or Excel spreadsheets via email or inter-office communication to prevent “secret or private” information falling into the wrong hands. 2. it stops online analysers and antiviruses from looking at the content and analysing them.
Update 6 September 2016: we started to see Microsoft publisher files with macros used to spread malware today. See HERE and Here for details and my thoughts. Unfortunately it appears that Microsoft took their eye off the ball with Publisher ( at least in 2007 / 2010 / 2013 versions. I don’t have access to 2016 or 365 to check ) and haven’t added the same protections against macros or embedded OLE objects that other commonly used Office programs have, that are described below.
One of the very popular methods of spreading malware and infecting you are emails with malformed or infected word docs and excel spreadsheets containing embedded malicious macros. Or Embedded OLE Objects. Macros and OLE objects can be used for good things and are designed to be used to speed up common tasks in a busy office environment. You only have to look through this blog to see hundreds of examples of emails with attachments using these malicious macros
The bad actors spreading these use emails with enticing or scary subjects that will scare or entice a user to read the email and open the attachment. Common subjects include court summonses, unpaid invoices, telephone, internet, gas, water or electricity bills. Modern versions of Microsoft Office, that is Office 2010, 2013, 2016 and Office 365 have Macros disabled by default, UNLESS you or your company have enabled them. Opening these malicious word documents or Excel spreadsheets will infect you if Macros are enabled and simply previewing them in windows explorer or your email client might well be enough to infect you.
The basic rule is NEVER open any attachment to an email, unless you are expecting it. Now that is very easy to say but quite hard to put into practice, because we all get emails with files attached to them. Our friends and family love to send us pictures of them doing silly things, or even cute pictures of the children or pets. Many of us routinely get Word, Excel or PowerPoint attachments in the course of work or from companies that we already have a relationship with. That is why this sort of campaign has such a high probability of somebody opening the attachment and getting infected.
Almost all of these currently spread Dridex banking Trojans that will steal your money. Different versions of the Dridex malware target specific countries and banks in those countries, but with international banking becoming more common, we are seeing UK specific versions also including many US and European banks as well as the UK based banks. As from Mid February 2016 this distribution method has been delivering a very nasty Locky Ransomware
All modern versions of Microsoft Word, Excel and other Microsoft Office programs, that is 2010, 2013, 2016 and 365, should open word docs, excel files and PowerPoint etc that are downloaded from the web or received in an email automatically in “protected view” that stops any embedded malware or macros from being displayed and running. Make sure protected view is set in all office programs to protect you, your family and your company from these sorts of attacks
Definitely DO NOT follow the advice the bad guys give to enable editing or macros to see the content.
When you preview or open the malicious word document, you either get a blank page or get this or similar wording and images shown. Provided you are using Word 2010, 2013, 2016 or 365 AND you have “protected view enabled and do not enable macros, then you are safe from the current attacks. However we always see other malicious documents that use unknown exploits in word or other office programs that will be capable of infecting you when such a document has been opened.
Each week we see new messages in these word docs giving plausible reasons why you need to enable editing and macros to see the content. Do not believe any of them and do not enable macros or editing
To check your macro security settings, click the Microsoft Office Button, click Microsoft Word Options, click Trust Center, and then click Trust Center Settings.
If macro security is set to Disable all macros without notification, all macros are automatically disabled. Use the following procedure to enable the macro.
In the Trust Center dialog box, click Macro Settings, and then click Disable all macros with notification.
Click OK in the Trust Center dialog box to apply the new setting.
Click OK to close the program options dialog box.
Close the file and the Microsoft Word. Open the file again. A Security Alert appears in the Document Information Bar just below the ribbon. Click Enable Content to allow the macro to run.
Do not open word docs received in an email without scanning them with your antivirus first, but be aware that it often takes several hours for an antivirus to update to detect malware. Also watch out for dodgy word docs containing exploits that WILL infect you with no action from you if you are still using an out dated or vulnerable version of word. This is a good reason to update your office programs to a recent version and stop using office XP, 2000, 2003 and 2007. The risks in using older version definitely outweigh the convenience, benefits and cost of keeping an old version going. I see so many people and small businesses still using Office XP, 2000 and 2003 which is a very serious risk. These are so out of date and do not have any security updates to protect you or others from you.
I have done a couple of tests with these malicious docs using office online . As far as I can see using Office Online is perfectly safe with these malicious word or Excel docs with embedded macros. As soon as you upload one of these malicious docs containing a Macro, word online converts it to the new xml format which does not support macro use. With no macro there is no risk of the Dridex malware being downloaded and run on your computer.
How to protect yourself from these exploits in Office programs.
To ensure safety and stop any of these malicious Word or Excel documents from using the embedded malicious macros and reduce the risk from other unknown exploits, you need to set word, Excel and PowerPoint like this. Once you set in any office program, for example Word, the settings will apply to all Office programs.
The below screen shots were taken using Office 2013 but all current versions are very similar
Open Word. Select File, then Options, then Trust Centre. Next press Trust Centre Settings and you see the below list of settings and options to change. All these should be the default and will protect you against the currently spreading macro malware. Some users will have set Office to higher settings than these default ones, by turning off the message bar completely and blocking all macros and ActiveX with no notifications:
This setting, that was introduced in Office 2010 is probably the most important one to make sure that you have protected view enabled and all 3 boxes selected. That prevents any Office document that is downloaded from the internet, received by email or copied to your computer or opened on a thumb drive from running any active content without your approval. You can read the email and any attachment ( word doc or Excel spreadsheet) safely, just cannot edit it or see or use embedded content like videos or macros. When you are 100% sure that the file is safe and you need to edit it, then you can press the edit or enable button that appears on the yellow warning bar.
There is one additional section that I strongly advise you to set as shown in this shot. This is to disable the automatic opening of RTF files which are currently being used in various malware campaigns by using various known and unknown exploits. We also suggest blocking the exploitable content in older word docs. This allows you to view & read RTF files but not edit them or run any active or embedded content
Open Word. Select File, then Options, then Advanced, scroll down to General and uncheck “Update Automatic links at Open” Note: this will prevent a legitimate use that some companies will have to automatically update word docs from either Excel or Access databases
Because of these vulnerabilities and difficulties in preventing macro malware attacks in any version of office before Office 2010 I strongly urge you to update your office software to the latest version and stop putting yourself and others at risk, by using old out of date software
This very informative post gives some excellent advice about using group policy in an enterprise environment to assist with this problem
We are also regularly see campaigns involving a genuine word doc attached which is malformed and contains an embedded OLE virus/Trojan . This is using the CVE-2012-0158 exploit which was fixed in MS12-027 and possibly a similar exploit from 2013/14 If protected view mode is turned off and RTF is allowed then opening this malicious word document will infect you, and simply previewing it in windows explorer or your email client might well be enough to infect you. Almost all of these malicious word documents appear to be blank when opened in protected view mode, which should be the default in Office 2010, 2013, 2016 and 365.
Update: see THIS Microsoft post for methods to block the use of embedded ole objects in office docs
In February 2016 we are currently seeing several malspam attacks using CVE-2014-1761 exploit in unpatched versions of office and it doesn’t matter if you have macros turned off or not. If you are not patched, then you WILL be infected by this
You must learn and educate others to look at the attachment and if the protected mode bar appears when opening or previewing the document DO NOT enable editing mode the document might look blank or have distorted or blurred images, but will be safe. One of the ways of identifying a malicious document that you have received in an email is that it will not preview in the preview pane in outlook or when saved to your downloads folder and appears blank or will have content similar to the images shown in the slideshow above