Security Threats Still Lurk in Office 365 Documents

Microsoft is taking new steps to close security gaps in Office 365 documents with Safe Documents, Application Guard.

Brien Posey

April 8, 2020

4 Min Read
Security Threats Still Lurk in Office 365 Documents
Getty Images

Mention the word malware, and the first thing that most people will probably think of is ransomware. After all, ransomware has been making headlines for years, thanks to some high-profile attacks. But there are other insidious threats lurking out there, including one that is very close to all of your end users: malicious Microsoft Office 365 documents.

I first remember hearing about malicious Microsoft Office documents back in the 90s. Back then, the macro feature was still relatively new. Bad actors were creating documents containing malicious macros. The documents were designed so that the macros would execute when the document was opened. This is the reason why all of the more recent versions of Microsoft Office open documents in Protected View. Protected View prevents malicious code embedded within a Microsoft Office document from executing.

Even though macro viruses are probably the most widely known threat associated with Microsoft Office documents, there are other types of malicious content that can be embedded into an Office document (depending on the version).

One of the things that made Microsoft Office so popular was the ability to include various types of content within documents. That’s still the case with Office 365, of course. A Word document can include pictures, 3D models, equations and much more. In some cases, however, embedded content can pose a threat. In 2018, attackers discovered that they could embed malicious Adobe Flash content into an Excel spreadsheet. This attack, known as CVVE-2018-4878, exploited a Flash vulnerability that allowed embedded code to be executed.

This is not the only example of an object embedded in an Office document posing a security threat.

OLE2 link objects embedded within Microsoft Word have been used to download malicious scripts.  Attackers have also found ways of exploiting weaknesses in Microsoft Word’s equation editor. The Equation Editor runs in its own process, separate from the Winword.exe process used by Microsoft Word. Because of this, attackers were able to exploit the Equation Editor in a way that allowed for remote code execution.

Palo Alto Networks has done a great job of documenting these and other Microsoft Office document exploits. The most important takeaway from this article is that even though malicious Microsoft Office documents first became a problem decades ago, Office documents continue to be exploited today. Thankfully, Microsoft is renewing its efforts to protect its customers against malicious documents.

One of the steps that Microsoft has taken is the introduction of the Office 365 feature Safe Documents. Safe Documents, currently in public preview, uses Office 365’s Advanced Threat Protection to automatically scan documents for known threats when a document is opened.

Even though the Safe Documents feature will be nice to have, it essentially mimics the behavior of third-party anti-malware products. Safe Documents will add an extra layer of protection, but feels a bit like a legacy security solution.

Fortunately, Safe Documents is not the only feature that Microsoft will be introducing in an effort to keep its Office 365 customers safe. Microsoft is also going to be modifying Application Guard to work with Office.

Application Guard is a Windows 10 feature that has existed for a while. It allows users to run the Edge browser inside of a dedicated Hyper-V sandbox (without the hassles of having to manually create a virtual machine). This has the effect of completely isolating the browser so that malicious Web pages are unable to harm the underlying operating system or gain access to the file system.

In the context of Microsoft Office 365, Application Guard will allow users to open untrusted Office documents in a sandboxed environment where malicious code can not inflict harm on the rest of the system. Even with the document sandboxed, users will be able to edit, print and save it. Perhaps the most notable thing about Office 365’s use of Application Guard is that it will protect Outlook users from malicious email attachments.

The Safe Documents and Application Guard features are not yet available for general use, but should be available soon. Right now, Safe Documents is in public preview for Microsoft 365 E5 and E5 Security customers. Microsoft is projecting that Application Guard protection for Microsoft Office documents will become generally available during the summer of 2020.

About the Author

Brien Posey

Brien Posey is a bestselling technology author, a speaker, and a 20X Microsoft MVP. In addition to his ongoing work in IT, Posey has spent the last several years training as a commercial astronaut candidate in preparation to fly on a mission to study polar mesospheric clouds from space.

http://brienposey.com/

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like