Everyday Clues | Cybersecurity | Microsoft Office
85% of all German companies use Microsoft Office as their office software of choice. Many documents are also created, edited and shared privately with Word & Co. But cybercriminals also like to use Office programs – to spread malware. We’ll tell you how you can better protect yourself against it.
Office documents are popular gateways for cybercriminals. Not only because of the widespread use of Microsoft programs, but also because active content can be integrated into Office documents. This active content is ultimately small programs. And cybercriminals can use them for their own purposes. For example, such a program can ensure that malware is downloaded from the Internet. Some companies and institutions are taking drastic protective measures against such attack opportunities. For example, they automatically delete all emails with attached, open Office documents. Or all emails whose attached Office documents contain active content. PDF documents, on the other hand, are usually accepted as attachments.
The protective measures recommended below do not go that far. Therefore, you are always in demand. Your eye, your attention, or even just your gut feeling that something is wrong with a document or an email attachment can prevent major damage. So stay mindful.
Important: In companies, clear guidelines for handling Office documents are indispensable. This is especially true for documents from external sources, such as applications and invoices. The experts at Perseus will be happy to advise you.
What is the ideal case if you receive malware in the form of an Office document? They recognize the document as suspicious and do not open it. You have already nipped the possible attack in the bud – bravo!
Therefore, treat all Office documents you receive critically. In particular, surprising invoices, reminders or order confirmations that are received by e-mail.
What are administrator rights?
Computers need to be managed, set up, and updated. This requires deep interventions in the system. Whoever takes on this task is considered an administrator – and needs unlimited access rights to all systems of the computer. These unlimited access rights are therefore also called administrator rights.
What is problematic about administrator rights?
Because administrator privileges allow unlimited access to a computer, their abuse can cause enormous damage. It is sufficient if a malware program is executed with administrator rights. Because then it can make all the changes you want to your computer.
What to do?
What are macros?
The term macro comes from software programming. There, macros are small subroutines that are often used like building blocks. They usually contain the program code of multi-step processes – which then no longer have to be programmed manually step by step.
Because the principle is so practical, Microsoft has made it usable in the Office programs even for users without programming knowledge. Here, multi-step processes can be easily recorded, saved as a macro and then repeated as often as desired. For example, if the respective date is to be displayed in several places in a document. The corresponding macro automatically updates it when you open or save the document.
Why are macros problematic?
Macros are small programs that are included in an Office document and run automatically. In everyday office life, this is helpful if the macro fulfills a desired function – such as the above-mentioned update of the date.
It becomes problematic when a macro has been programmed by cybercriminals. Because then your program will be executed automatically. What it does depends on the cybercriminals’ goals. Maybe it just opens countless new documents. Or it downloads malware from the Internet that encrypts your computer. Practically everything that can be programmed is possible.
What to do?
Usually, you don’t have to do anything, because macros are disabled by default in the Office programs. This applies to both PCs and Macs. We advise: Play it safe and check that macros are deactivated for you.
Here you can find Microsoft’s instructions on how to disable and activate macros for PC and for Mac.
As I said, macros are disabled by default in current Office programs. But often they can be activated manually. We advise: Don’t do that! And if you are asked to do so? Then be sure to consult.
Cybercriminals can be very sophisticated in their efforts to get you to activate macros. For example, the Emotet Trojan, which has been feared for years, sent extremely authentic-looking emails, most of which contained an Office attachment. The body of the email explicitly asked to activate the macros in the attached document. Only then could the malicious code hidden in the documents become active. Even though the Emotet infrastructure was dismantled at the beginning of 2021, this attack tactic can still be used. Therefore, we advise the utmost caution.
What is OLE?
At Microsoft, OLE stands for Object Linking and Embedding, i.e. for linking or embedding objects. Such objects can include graphics, videos, and tables. For example, if a Word document links to a table, it can be edited in Excel. On the other hand, if this table is embedded in Word, it can be edited directly in Word. In order for the embedded objects to be usable, a corresponding program code must be integrated into the document. For cybercriminals, this means a way to embed malicious code.
What is the danger?
OLE objects manipulated by cybercriminals usually have to be clicked on in order to become active. Various tricks are used for this purpose. For example, the object can look like a field in which they are supposed to enter a security code. Or the accompanying email will ask you to take appropriate actions.
What to do?
Do not enable embedded objects. If you are asked to do so, be sure to consult us.
What is a sandbox?
The English term “sandbox” translates as sandbox. In IT, sandbox refers to a separate, isolated area within a system. Actions or programs that run in this sandbox are limited to this sandbox and do not affect the overall system. If the sandbox is closed, all of its content will be deleted.
Where can I find such a sandbox?
Sandboxes are already available in some operating systems. On Macs, most programs even run in their own sandbox, even newer Office programs.
Sandboxes are also included in Windows 10 Enterprise, Windows 10 Professional, or Windows 10 Education versions 1809 or later. Unfortunately, they are disabled by default. You can find out how to activate it at Microsoft, for example.
If your operating system does not have a sandbox built-in, you can install a separate program for this. Many virus scanners also have a sandbox.
Since no protection is 100%
No technology is infallible, and this also applies to sandboxes. We therefore recommend that you use them prudently and always take all the measures mentioned above in addition.
Are you a Perseus member, distrust an Office document and don’t want to take any risks? Then simply forward the document to us and we will check it for you.
Not a Perseus member yet? Then contact your company’s IT department… and also suggest that a procedure be defined for dealing with Office documents. Especially for all people who come into contact with potentially critical documents such as supposed applications or invoices.
