Recherche : [Office] - Cyberveille

Excel(ent) Obfuscation: Regex Gone Rogue https://www.deepinstinct.com/blog/excellent-obfuscation-regex-gone-rogue

14/05/2025 19:42:34

Join Ido Kringel and the Deep Instinct Threat Research Team in this deep dive into a recently discovered, Office-based regex evasion technique

Microsoft Office-based attacks have long been a favored tactic amongst cybercriminals— and for good reason. Attackers frequently use Office documents in cyberattacks because they are widely trusted. These files, such as Word or Excel docs, are commonly exchanged in business and personal settings. They are also capable of carrying hidden malicious code, embedded macros, and external links that execute code when opened, especially if users are tricked into enabling features like macros.

Moreover, Office documents support advanced techniques like remote template injection, obfuscated macros, and legacy features like Excel 4.0 macros. These allow attackers to bypass antivirus detection and trigger multi-stage payloads such as ransomware or information-stealing malware.

Since Office files are familiar to users and often appear legitimate (e.g., invoices, resumes, or reports), they’re also highly effective tools in phishing and social engineering attacks.

This mixture of social credit and advanced attack characteristics unique to Office files, as well as compatibility across platforms and integration with scripting languages, makes them ideal for initiating sophisticated attacks with minimal user suspicion.

Last year, Microsoft announced the availability of three new functions that use Regular Expressions (regex) to help parse text more easily:

Regex are sequences of characters that define search patterns, primarily used for string matching and manipulation. They enable efficient text processing by allowing complex searches, replacements, and validations based on specific criteria.

Secrétariat d’État à la politique de sécurité (SEPOS) et Office fédéral de la cybersécurité (OFCS) : le Conseil fédéral fixe des bases légales https://www.admin.ch/gov/fr/accueil/documentation/communiques.msg-id-98807.html

23/11/2023 17:28:00

Informations actuelles de l'administration. Tous les communiqués de l'administration fédérale, des départements et des offices.

Detecting OneNote Abuse https://labs.withsecure.com/publications/detecting-onenote-abuse

06/02/2023 18:58:22

OneNote is a software part of the Office suite, commonly used within most organisations for note-keeping, task management and more. In the last year, OneNote gained more attention from a security perspective, mostly thanks to the research paper published by Emeric Nasi.

Rackspace Cloud Office suffers security breach https://doublepulsar.com/rackspace-cloud-office-suffers-security-breach-958e6c755d7f

05/12/2022 08:52:08

Thousands of small to medium size businesses are suffering as Rackspace have suffered a security incident on their Hosted Exchange service.

Yesterday, 2nd December 2022, Rackspace announced an outage to their Hosted Exchange Server:

Follina — a Microsoft Office code execution vulnerability https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e

30/05/2022 11:33:04

Two days ago, Nao_sec identified an odd looking Word document in the wild, uploaded from an IP address in Belarus...

Who Needs to Exploit Vulnerabilities When You Have Macros? https://insights.sei.cmu.edu/blog/who-needs-to-exploit-vulnerabilities-when-you-have-macros/

13/02/2022 01:46:37

Recently, there has been a resurgence of malware that is spread via Microsoft Word macro capabilities....

Helping users stay safe: Blocking internet macros by default in Office https://techcommunity.microsoft.com/t5/microsoft-365-blog/helping-users-stay-safe-blocking-internet-macros-by-default-in/ba-p/3071805

13/02/2022 01:30:37

Changing Default Behavior

We’re introducing a default change for five Office apps that run macros:
VBA macros obtained from the internet will now be blocked by default.

Liens par page

Filtres