In a new twist, attackers trick people as the malware installs by merely hovering over an infected PowerPoint link. This is an extension of the Office macro malware attack, which used email spams. That previous attack relied on victims unwittingly clicking a link, which installed malicious content through a macro download. However, this new method even navigates past the link. It means general advice about not clicking links that are unknown would not work. Attackers are testing methods which would install the malware by the user simply hovering on the link. BleepingComputer described the new form of attack. This new Office vulnerability does not need macros to work, but still need the user to open the PowerPoint files. Once inside the document, simply hovering over a link will run a PowerShell command that results in malware downloaded to the system. The report points out that the attack is being delivered through a spam email. Attackers are masking the content as an email with subject and attachments names suggesting an invoice of purchase. File formats are in the open-source version of PowerPoint slide show. This build is just for viewing files and cannot be edit. While hovering on the link can download malware, Office does have built in protection for this.
Office Protection
Microsoft’s Office Protected View can block the download and flag it as dangerous. Protected View has been turned on by default in the productivity suite since 2010. With that in mind, users should be warned unless they have turned off Protected View for some reason. Microsoft confirmed this in a statement: “Office Protected View is enabled by default and protects against the technique described in the report. Both Windows Defender and Office 365 Advanced Threat Protection also detect and remove the malware. We encourage users to practice good computing habits online, and exercise caution when enabling content or clicking on links to web pages.” As always, it is worth always checking the links and attachments in an email. This is especially the case if it comes from an unknown source, when attachments should be avoided as a general rule.