Knowing that Microsoft Office is one of the most popular and widespread software suites on the planet, cyber-criminals and hackers seeking likely victims will often make Office documents and applications the focus of their attempts to gain access to external systems, or generally wreak havoc.
Much of this activity relies on scripts containing malicious code, which can call up a variety of actions.
CSO Online contributor Susan Bradley reckons that “phishing attacks increased 400% in the first seven months of 2019.” Such attacks exploit the natural knee-jerk reaction to tempting offers or threatening situations.
In response to an irresistible offer or threat, phishing emails or text messages typically invite a prospective victim to follow links to a booby-trapped web site, or to open a document containing malicious code.
For users of Microsoft products, malicious software or malware may try to infect a victim’s computer by calling up executable files and scripts used in Office apps or web mail.
These may attempt to download or run files designed or supplied by the hacker. Malicious scripts can give them an entry point to a personal system or corporate network, or enable them to corrupt existing files and applications.
Enterprise system administrators often have a multitude of Microsoft Office users to assist and oversee, making the issue of dealing with external threats particularly challenging. The following techniques and recommendations can help.
You first need to identify who in your organization is actually using Microsoft Office, in terms of names and numbers. You must then establish what kind of office implementation each of these users requires. In some cases, the user may not require the full functionality of an Office Suite, or need access to all of the tools available.
Not every user in an Office 365 installation has to have the same setup. For enterprise users, it’s possible to mix and match different versions of Microsoft licensing, inside your Office 365 deployment.
For example, users with limited functionality requirements may be able to work from a web-based version of Office that isn’t installed on your system directly. This can also make security deployment easier, as web installations can be run in a “sandbox” mode that keeps them separate from the rest of your network.
Your enterprise hierarchy may make higher profile executives within your organization a more tempting target for hackers. Likewise, security monitoring may reveal that certain individuals at various levels of the company are being targeted by phishing attempts more frequently than others.
Users like these may benefit from an Office license with greater security protections and more sophisticated tools.
For users in your organization who don’t require the full collaborative functionality of Microsoft Office, it may even be desirable to use an alternative software suite.
Team work and document sharing can often be accomplished by other methods such as read-only PDF files, online forums, or web-based forms.
Though intended to automate routine functions and make life easier for Office users, macros have rightly gained a reputation as gaping security holes in any system running Microsoft software. Scripting attacks are most often perpetuated through malicious macros that call up actions favorable to the hacker.
It’s worth considering putting restrictions on the running of macros for this reason. Most users don’t actually need to employ advanced features like macros, and can get by with a basic Office installation. Any users who do have good reasons for running macros to increase their productivity can be approved for their deployment, and more easily monitored.
If your organization has a traditional domain infrastructure, you can limit the use of Office macros with Group Policy. Versions of Microsoft’s application suite as far back as Office 2010 possess the ability to block macros.
Administrators of systems running Office 2016 can block macros in documents that originate from the web. A metadata flagging feature known as “mark of the web” gives administrators more granular control over how and where users can open files.
(Image source: Susan Bradley)
Files flagged as suspicious will typically display yellow and red warning communications at the top of documents that users open from external sources.
Messages and emails are the hacker’s preferred vector for phishing and scripting attacks. So preventing those communications from getting through in the first place makes good sense.
You should use spam and email filtering tools to scan and approve messages before users get a chance to open them.
In fact, because of the use of filtering mechanisms, more sophisticated attackers are abandoning attached documents as a means of delivering malicious code, and hosting their scripts in the cloud.
The increasing ingenuity of script based attacks requires organizations to adopt more sophisticated security measures and software solutions.
Microsoft recently previewed a new Microsoft 365 E5 subscriptions feature called Safe Documents. This service checks Excel, PowerPoint, and Word documents against known risks and threat profiles, before a user can open them.
If you have an active Microsoft 365 E5 license, you can enable the preview by going to the Office 365 Security & Compliance Center. “Threat management” > “Policy” > “ATP Safe Attachments” will bring up a set of configuration options.
In the section called “Help people stay safe when trusting a file to open outside Protected View in Office applications”, configure the following:
Turn on “Safe Documents for Office clients.”
Make sure “Allow people to click through Protected View even if Safe Documents identifies the file as malicious” is not enabled.
Click “Save,” to finish.
Application Guard for Office 365 Pro Plus is another service in preview, which is similar to Windows Defender Application Guard for the Edge browser. Application Guard puts Office in a sandbox environment, so that malicious scripts or documents can’t escape into the wider office network or operating system.
Though Application Guard is currently in preview, you can sign up for the private beta program.
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) uses what the company calls “attack surface reduction rules” to help prevent behaviors that malicious scripts and malware often use to infect computers with malicious code.
Rules are available for computers running Windows 10, versions 1709 and 1803 or later, Windows Server, version 1803 (Semi-Annual Channel) or later, or Windows Server 2019. To use the entire feature set of attack surface reduction rules, you’ll need a Windows 10 Enterprise license.
If you're using audit mode, you can query Microsoft Defender ATP data by using Advanced hunting. Audit mode provides features to help you understand how attack surface reduction rules could affect your environment. An example query might look like this:
(Image source: Microsoft.com)
Finally, no cyber-security initiative is complete without an associated program of security awareness training and best practices. For scripting attacks on Microsoft Office, these should include email etiquette and anti-phishing measures, as well as letting end users know the proper procedures for responding to alerts and prompts from their security software.
If you need the highest-quality content for your business’s lead generation, nurturing and sales strategies, markITwrite has a dedicated team of professional writers, designers, and social media marketing experts to put their talent to work for your business.
Beth Powell, Expeed Software
Doug Nebeker, Power Admin
Denise Darienzo, net2phone
Viktoriya Gorod, Starwind Software
Bill Lewis, New Offerings