The Microsoft Office suite is a product most people view as synonymous with owning and using a computer. It has been the leading office software for about two decades. In 2016, Microsoft announced 1.2 billion users worldwide were using some kind of Office produce or service. This virus has the potential to affect many users who use Microsoft Office documents.
On November 7, 2017, McAfee, the US computer security software company confirmed in a report that they have been tracking a new phishing attack from a Russian government-affiliated hacking group called Fancy Bear or APT28. Similar to other successful attempts, the attack used recent news events to convince unsuspecting users to click on a word document. The document contained a news story about the recent ISIS truck attack that killed eight people on a Manhattan bike path on Halloween titled, “IsisAttackInNewYork.docx.”
According to McAfee researchers, the cause of the security hack is the Object, Linking, and Embedding technology that Microsoft uses. Specifically, a feature of Microsoft Office called Dynamic Data Exchange (DDE) can be exploited by hackers to install malware on a victim’s computer if they open any Microsoft Office document. This vulnerability was exploited by the hacking group since late October 2017.
Fancy Bear is one of one of the Russian hacker groups suspected of hacking the Democratic National Committee during the 2016 election. The Microsoft DDE feature in question allows Office files to include links to other remote files (e.g. – like hyperlinks between documents). If a victim opens a document and then clicks on a prompt asking if they “want to update this document with data from the linked file”, then their computer becomes infected.
The Fancy Bear group is using the vulnerability to get victims to click on attachments with newsworthy filenames like SabreGuard2017.docx and IsisAttackInNewYork.docx. If the files are clicked, then a malware called Seduploader gets installed on the victims’ machines.
Why is this virus hack different?
What’s different about this hacking technique is that it does not involve exploiting a “secret flaw” or “zero-day” vulnerability. A zero day vulnerability refers to a defect or security hole in the software that is not known to the vendor. Hackers usually exploit the vulnerability before the vendor is made aware and quickly releases a security patch to resolve it.
Microsoft said it had no plans to alter or introduce the DDE feature because it is behaving the way it was designed. According to an article by Cyberscoop, Microsoft said it is was a feature. This type of feature typically allows users to communicate across applications.
Microsoft stated that this attack only works when Windows’ Protected Mode setting is disabled. This leads to an important lesson for users to be extra cautious when opening any suspicious email attachments. When in doubt, it is better to do nothing and get advice from a computer professional.
Here are 5 tips to safeguard from the Microsoft Office virus:
1. Do not open files from strangers.
Microsoft recommends not opening any MS Office emails or files from an unknown source or location.
2. Enable Office Protected View.
Microsoft recommends enabling Office Protected View when you launch an MS Word file. To enable it, see this Microsoft support document here. If a user opens the Word file in Protected View, the virus is unable to execute or get into their system.
3. If working remotely, install a VPN.
A virtual private network encrypts your Internet traffic when working remotely and from public Wi-Fi networks at airports, universities, conferences and coffee shops. For an updated list of VPN services, see this up-to-date in-depth review and comparison article here.
4. Never turn off security features.
When opening a document in an email, you might be prompted in the message to turn office security features. Always keep security features on, regardless of the document type.
5. Install patches.
If a computer vendor releases a software patch for a vulnerability, install it immediately or ask a computer professional for help.
Due to the publicity about the Microsoft Office virus, the company issued an advisory on November 8, 2017, encouraging concerned Microsoft Office users to “check their DDE security settings and disable the automatic updates of data from linked fields to mitigate the threat.” It is strongly recommended to get help from an IT security professional since some of Microsoft’s recommendations involved advanced knowledge and proceeding with caution.