Hackers Weaponizing Microsoft Office Documents to Deploy Malware in Business Environments

Microsoft Office allows one to generate a professional business report on office365 or write college essays, prepare CVs, take notes, and perform analysis. 

These offer text and data editing, like macros and Python scripting in Excel, that enable automatic data updating. However, since they can be used to execute phishing and malware attacks, they are known as potential cyber weapons. 


Cybersecurity researchers at COFENSE recently discovered that hackers have been actively weaponizing Microsoft Office documents to deploy malware in business environments.

Technical analysis

For example, simple links could be used as attack vectors, while QR codes could be exploited through vulnerabilities such as “CVE-2017-11882” and “CVE-2017-0199.” 

All-in-One Cybersecurity Platform for MSPs to provide full breach protection with a single tool, Watch a Full Demo

An infected macro embedded in the Visual Basic for Applications (VBA) code will run automatically once the file is opened. 

Threat actors spread these documents by spoofing brands via email and cloud-sharing services. These are common threats that businesses should look out for to protect users.

Threat actors have found that office documents are the most preferred attack vector, with embedded links, QR codes, and malicious macros as accomplices to deliver credential phishing lures and malware payloads. 

Credential Phishing email with an embedded QR code inside (Source - COFENSE)
Credential Phishing email with an embedded QR code inside (Source – COFENSE)

Phishing pages may be accessed through what look like ordinary document links, while QR codes can evade security controls. 

Microsoft credential phishing page (Source - COFENSE)
Microsoft credential phishing page (Source – COFENSE)

Using Office’s Visual Basic for Applications (VBA), malicious users also leverage the automation of macro-executed malware upon opening modified files. 

Regardless of the modus operandi used, these attacks exploit the widespread adoption of Office apps, which requires users to remain alert and deploy strong security measures capable of mitigating risks arising from harmless-appearing documents.

In 2022, Microsoft deployed security updates restricting unauthorized macros from working on Office files by default, prompting users to grant permission before enabling potentially harmful programs. 

However, several hackers still use VBA macros to launch malware attacks when victims bypass these warnings. 

Macro payloads often exploit PowerShell to retrieve and run malicious software through different URLs at various attack stages. 

Law enforcement actions that influenced major botnets have led to a decline in macro-based attacks, which were once very popular with highly active malware such as Emotet.

Similarly, malware-laden Office-based macros remain an ever-present danger susceptible to social engineering tactics that easily dodge Microsoft’s macro embargo. So, the users must be vigilant and have their systems installed with strong security measures to address the risks involved.

Get special offers from ANY.RUN Sandbox. Until May 31, get 6 months of free service or extra licenses. Sign up for free.

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.