Microsoft Warns of Fresh Email Spam Campaign Exploiting Old Office Vulnerability

It's an old, yet reliable exploit targeted at European users right now.

By Harpreet Singh | Updated: 10 June 2019 16:43 IST

Microsoft Warns of Fresh Email Spam Campaign Exploiting Old Office Vulnerability

Photo Credit: Twitter/ Microsoft

Highlights

Hackers are again exploiting an old Office vulnerability, says Microsoft
The malicious file can infect a user's system when they just open a file
Microsoft is asking users to update their systems, if they haven't

Microsoft issued a warning on Friday regarding a spam campaign that seems to abuse a security vulnerability in its productivity suite - Office. The campaign involves sending malicious documents that can infect users when they simply open the attached RTF document. As of now, the spam campaign is targeting European users. Microsoft's Security Intelligence account made the announcement in a series of tweets on Friday afternoon.

According to Microsoft's security researchers, the ongoing spam campaign includes RTF documents that exploit the Microsoft Office and Wordpad CVE-2017-11882 vulnerability. Users can be infected by simply opening the attached document.

An active malware campaign using emails in European languages distributes RTF files that carry the CVE-2017-11882 exploit, which allows attackers to automatically run malicious code without requiring user interaction. pic.twitter.com/Ac6dYG9vvw
— Microsoft Security Intelligence (@MsftSecIntel) June 7, 2019

The CVE-2017-11882 vulnerability enables RTF and Word documents to execute commands right when they're opened. The vulnerability was patched back in 2017, but Microsoft claims the company still sees the exploit being used in spam campaigns which have increased in the last several weeks. Microsoft is recommending users to apply security updates.

Microsoft said that when a user opens an infected attachment, the file will try to execute a number of scripts written in VBScript, PowerShell, PHP, and others to download the 'payload'. These scripts are generally downloaded from a Pastebin repository.

According to Microsoft, the 'payload' that's download on an infected user's system is an executable backdoor trojan, programmed to connect to a malicious domain. Microsoft is asking all Windows users to install the security update for this vulnerability as soon as possible.

The malicious domain has been taken down, but Microsoft says there's always a possible risk of future campaigns that may use a similar tactic to exploit the vulnerability.

In case you've already applied the November 2017 patch, you're already protected from this vulnerability. This exploit has been used several times, in an effort to target users who may have forgotten to install the software update.

Comments

For the latest tech news and reviews, follow Gadgets 360 on X, Facebook, WhatsApp, Threads and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel. If you want to know everything about top influencers, follow our in-house Who'sThat360 on Instagram and YouTube.

Further reading: Microsoft, Microsoft Office, Security

Harpreet Singh

Email Harpreet

Harpreet is the community manager at Gadgets 360. He loves all things tech, and can be found hunting for good deals when he is not shopping online. He has written about deals and e-commerce in India for many years, as well as covering social media and breaking technology news. More