Microsoft has been pushing browser-based Microsoft 365 cloud for all office functions. However, their desktop office applications are just as popular as ever – especially Word, Excel and PowerPoint. Which is great news for cyber criminals as the end user workstation is a prime target for attack and often an overlooked link in any cyber security strategy.
Get Your 'Vulnerability Management Template' FREE!
Your Vulnerability Management Template Includes:
Secure your organisation today by completing the form for your Vulnerability Management Template.
Download the, 'How to secure Microsoft Office Desktop Deployments Technical Guide' - FREE
Complete the form to download your free technical guide and secure your organisation today.
Download the Cyber Essentials Template Policy Pack - FREE
Complete the form to download your FREE Cyber Essentials Template Pack today, including:
Download the Microsoft 365 Security Guide - FREE
Complete the form to download your FREE Microsoft 365 Security Guide today, including:
Sign up on the form and receive the guide instantly.
Microsoft has been pushing browser-based Microsoft 365 cloud for all office functions. However, their desktop office applications are just as popular as ever – especially Word, Excel and PowerPoint. Which is great news for cyber criminals as the end user workstation is a prime target for attack and often an overlooked link in any cyber security strategy.
With ransomware infections stealing terabytes of personal and corporate data, the average payment a staggering $220,298 and the average downtime of 23 days [1] the numbers soon become eye watering. Coupled with lost revenue for the 23 days downtime, recovery costs, lost productivity, reputational damage and fines for loss of data, unfortunately it can be the end for a lot of businesses. Now more than ever there is a need to protect assets or risk irrecoverable loss.
For attackers looking to compromise an organisation and manipulate an end user, leveraging familiar software is naturally preferred. Microsoft Office is used by virtually every IT enabled organisation on the planet. Malicious Office malware has surged over the past year with a 199% increase between Q3 and Q4 of 2020 alone and obviously must be seen as a serious threat by defenders. [2]
Technical fixes and Group Policy. Whereas this post is not intended as an absolute definitive guide, we do aim to give you 15 technical steps that can be taken by an organisation to reduce the risk posed by attacks. The majority of the protections outlined in this document should be implemented using Group Policy and will therefore require the ADMX templates provided by Microsoft here: https://www.microsoft.com/en-au/download/details.aspx?id=49030
Our suggested fixes.
Stop the 'bad' files getting to the user
It’s obvious that to be opened in Office a ‘bad’ file must arrive at a user workstation in some way. A favourite delivery method for attackers looking to distribute these nefarious documents is the classic email…. Phishing [3]. Although not a protection applied to the Office installation directly, it’s still such an important step its worth mentioning here. The best way to stop a user falling victim is to stop the document ever reaching them. By implementing Anti-malware scanning at the gateway or by blocking known extensions used by attackers (such as .docm) you can greatly reduce the employee’s exposure to these files.
7 steps.pngSpeak to us about email security solutions, and for specific guidance on securing your Microsoft 365 deployment. You can download our “7 Steps to secure Microsoft 365” guide here.
Update Office When Available
Security is a moving target; attackers constantly find ways to directly attack software or subvert existing controls for their own and often illicit ends. Updates not only apply functional fixes but often contain security improvements. By applying security updates in a timely manner, it is not only possible to protect an organisation from known attacks against the software itself but to implement the latest security controls released by Microsoft. Ensuring you are always running the latest version of Office is a crucial first step in protecting an organisation and reducing risk.
Macros
Office macros are code embedded within office documents that can be used by attackers to gain access to a user’s workstation. Written in the Visual Basic for Applications (VBA) programming language the only thing stopping attackers from doing virtually anything they wish on a user’s machine is often a single click.
It’s unlikely that macros are required by the majority of users and therefore its preferable that an organisation restricts macros in their entirety. Where macros are required, they should be permitted only in the specific Office applications that are required and when digitally signed by Trusted Publishers using digital signing certificates.
Attack Surface Reduction (ASR)
In Windows 10 Microsoft introduced Attack Surface Reduction (ASR). ASR provides rule-based protection against risky behaviour at a software level; for example [4]
· Launching executable files and scripts that attempt to download or run files;
· Running obfuscated or otherwise suspicious scripts; and
· Performing behaviours that apps don't usually initiate during normal day-to-day work.
ASR requires Microsoft Defender Antivirus to be running and comes with several Microsoft Office attack surface reduction rules including:
· Block Office applications from creating child processes
· Block Office applications from creating executable content
· Block Office applications from injecting code into other processes
· Block Win32 API calls from Office macros
Dynamic Data Exchange (DDE) & External Content
The Dynamic Data Exchange (DDE) protocol is a method of inter-application data transfer provided by Windows [6]. This means it allows applications such as Outlook and Excel to load and embed data from an external source into a document. Attackers can leverage this functionality to run external code, for example an attacker can use a custom DDE fields to interact directly with the command line and execute their own commands. In 2017, due to widespread use in malware campaigns, Microsoft officially disabled support for DDE in Word, however support for DDE in excel and outlook persists [7].
To protect against these attacks Group Policy should be used to prevent the loading of data from external sources.
Flash Content
Thankfully Flash was discontinued with EOL announced for December 31st, 2020. Unfortunately, this doesn’t mean it isn’t still used across a large number of organisations. Office documents allow Flash content to be embedded meaning that attackers use Flash code to target unsuspecting users. To protect against this attack flash can be blocked in Office Documents.
Object Linking & Embedding (OLE)
Content from other applications can be embedded into Excel Worksheets, Word Documents and PowerPoint Presentations through Object Linking & Embedding (OLE). Much like office macros users can use embedded objects such as Visual Basic (VB) and JavaScript (JS) scripts to execute their code on a user’s workstation [8]. To protect users, organisations should use Group Policy to make registry changes that disable OLE across the forementioned Office products.
Restrict Office DCOM
Abusing Microsoft Office Distributed Component Object Model (DCOM) is a technique used by attackers for stealthy lateral movement within a target network. DCOM works by extending the benefits of COM objects to remote computers and allowing, for example, macros to be run on remote machines.
Some examples of dangerous COM objects which DCOM functions include:
· Excel.Application
· Word.Application
· MMC20.Application
· ShellWindows
· ShellBrowserWindow
· Visio.Application
· Visio.InvisibleApp
· Outlook.Application
· Powerpoint.Application
· Access.Application
· Shell.Application
These can usually be found in the Windows Registry database as a key/value pairing, and looks like this with a CLSID GUID assigned to the COM Class:
C08AFD90-F2A1-11D1-8455-00A0C91F3880
To protect against this technique, organisations can employ a variety of methods, however, they should ideally restrict access to dangerous COM object DLLs that support RPC functions and methods in Office. In addition to this, the following steps are recommended:
Disallow remote registry access if not required
Enable Domain and Private Profiles in Windows Defender Firewall
Harden the DCOM permissions by removing the rights of administrators from the permissions - Remote Launch and Remote Activation.
Hardening user access rights can prevent this attack with Group Policy (In AD driven environments)
Application control rules can be used as last circle of security controls to prevent vulnerable processes from spawning dangerous child processes or loading DLLs.
a. Examples:
i. outlook.exe -> rundll32.exe
ActiveX
ActiveX can be used to provide users with a rich Office experience, for example a document author can retrieve data from an internet source. However, ActiveX can also be used by attackers to execute code and access sensitive data. Recently ActiveX has been used to in office documents to trigger exploits against other Microsoft applications [9].
To provide protection from ActiveX based attacks organisations should disable all ActiveX across the Office suite.
Custom Add-Ins
Office document and outlook message content and external sources. Naturally, this feature can also be used by attackers to access sensitive data and execute code in a persistent manner.
To protect against this attack ideally organisations should deny Add-Ins completely, or if there is a legitimate business requirement only allow Office Add-Ins from Trusted Publishers and disable unsigned Add-Ins.
Use Protected View
By default, Office files originating from untrusted locations such as the internet or email attachments are opened within a sandbox environment. In uncommon situations organisations have disabled protected view, sometimes without knowing the consequences. If this is the case an attacker can deliver malicious Office files to users via the internet or email.
Organisations should ensure that they are enforcing Protected View by using GPOs.
Disable Running External Programs
PowerPoint allows users to run external programs through action buttons allowing attackers to execute programs or leverage existing programs to compromise a user’s workstation. Furthermore, there is no security warning when executing the program via the button making the attack invisible to users who typically look for Office security warnings.
To protect against this attack organisations should disable action buttons via Group Policy
Use Office File Validation (OFV)
Office File Validation (OFV) ensures that documents opened in Office confirm to an expected standard and performs security checks on files. According to Microsoft “Office File Validation helps detect and prevent a kind of exploit known as a file format attack or file fuzzing attack” [10]. Depending on the configuration, files that appear to be malformed are blocked from opening entirely, are opened in read only mode or are opened in Protected View.
Although OFV doesn’t protect against all malformed files, Organisations should ensure they are enforcing protected view via Group Policy object to ensure users are protected from a large number of malformed documents. [11]
Disable Legacy & Insecure File Types
Office has been part of our lives for over 30 years and understandably it has evolved many times since its inception in 1990, but is still required to support legacy file formats[12]. These file formats, such as the Word Document binary format (.doc) are still a favourite for attackers [13].
To protect from risk introduced by legacy and other insecure filetypes organisations should use Group Policy to prevent the filetypes being opened.
Test & Verify
Securing Microsoft Office deployments can be a challenging task, with so many policies and registries to modify, it can be easy to misconfigure. Changes made over time to accommodate edge-case and bespoke situations can inadvertently affect the organisations' ability to protect itself from common methods of attack.
Regular security testing can allow an organisation to identify new security risks & vulnerabilities and ensure changes have not retrospectively introduced previously identified vulnerabilities.
ConclusionThis is by no means a complete guide to everything you need to do to harden your MS Office environment but it’s a great start. If you want to know more or get help identifying vulnerabilities in your environment speak to us on 0113 467 8855 or email us at info@precursorsecurity.com
We have a number of service offerings to help you test and secure your Office configuration.
Internal Network. Internal Network Security Assessments evaluate the security of your company’s internal systems and how likely they are to be compromised from a variety of perspectives from a malware compromised machine…
Workstation Review. A review of a standard user workstation aims to search for vulnerabilities and data which can be exploited by a unauthenticated or low privileged user account. Workstations can be the target of a number of attacks which aim to exploit the device or the user and form an important part of any organisation’s security…
GPO
ASR RULES
Relevant Registry Keys
Relevant GPOs
Flash GPOs
OLE Registry Hives
DCOM References
ActiveX GPOs
Add-In GPOs
Protected View GPOs
External Program GPOs
OFV GPOs
Relevant GPOs
Relevant Legacy and Insecure Filetypes
References
[2] https://www.mcafee.com/enterprise/en-us/lp/threats-reports/apr-2021.html
[3] https://attack.mitre.org/techniques/T1566/001/
[6] https://docs.microsoft.com/en-us/windows/win32/dataxchg/about-dynamic-data-exchange
[9] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26419
[10] https://insights.sei.cmu.edu/blog/effectiveness-of-microsoft-office-file-validation/
[12] https://docs.microsoft.com/en-us/deployoffice/compat/office-file-format-reference
Choose Precursor Security for penetration testing excellence—where industry-leading expertise, CREST accreditation, and a client-focused approach converge to fortify your digital defences with precision and reliability.
We have a CREST accredited Security Operations Centre and all of our penetration testers are CREST certified.
We are accredited to the highest of standards including CREST, ISO27001, ISO9001 and Cyber Essentials Plus.
![Experienced people icon]](https://cdn.prod.website-files.com/6569bb4bd6018f8bee273541/65c0fddfb82858785bf456d7_rating.png)
Our experts have a combined experience of over 30 years delivering security operations to sectors such as healthcare, financial services, aerospace and more.
It’s important to know what you’re getting, what’s not included and what else is available. This starts with understanding a SOC and it’s critical functions. CREST has recently published a guide to the critical functions of a SOC which aligns with the CREST SOC standard.
Enter your details here and to get the complete guide instantly sent to your inbox.
Choose Precursor Security for penetration testing excellence—where industry-leading expertise, CREST accreditation, and a client-focused approach converge to fortify your digital defences with precision and reliability.
We have a CREST accredited Security Operations Centre and all of our penetration testers are CREST certified.
We are accredited to the highest of standards including CREST, ISO27001, ISO9001 and Cyber Essentials Plus.
Our experts have a combined experience of over 30 years delivering security operations to sectors such as healthcare, financial services, aerospace and more.
Precursor Security
Welcome to Precursor Security, where the forefront of cybersecurity and penetration testing expertise meets unmatched dedication and innovation. We are the architects of robust digital defences, committed to safeguarding the online realm.
Sign up for the Precursor newsletter to receive valuable insights and strategies for safeguarding your organisation.
