Proof of Concept (PoC) Attack Leverages Microsoft Office and YouTube to Deliver Malware
Researchers at Cymulate have discovered a way to deliver and execute malware through the Online Video feature in Microsoft Office Word (https://blog.cymulate.com/abusing-microsoft-office-online-video). Here we outline a brief summary of the attack and Cymulate’s suggested mitigation approach, and then we show an example of how data sanitization (CDR) can easily prevent this type of attack.
Summary of attack
- Create a .docx file, insert an Online Video
- Extract .docx with an archive extraction software, check worddocument.xml file, below is a screenshot for a normal embeddedHTML tag;
this tag contains an escaped HTML content which can be abused.
We have created our Proof of Concept (PoC) sample with the document.xml like this
As you can see, an additional script was added to run or save a file. When a user clicks on the video thumbnail, it will launch an Internet Explorer download window. Since the embeddedHTML accepts all HTML tags, attackers can easily create a phishing message and trick users to run the file. For example:
How can you prevent this type of attack?
According to Cymulate, they submitted this issue three months ago, and Microsoft to date has not acknowledged it as a flaw. To mitigate this issue, Cymulate’s research team suggests blocking Word documents containing the tag “embeddedHtml” in the Document.xml file of MS Word documents or blocking documents with embedded video inside.
With OPSWAT Data Sanitization technology, it’s much easier to prevent this type of attack. The data sanitization process disarms this file and reconstructs a new file that has no potential threat objects, including no remote videos. After sanitization, the document.xml file doesn’t contain any suspicious HTML content: