In November of 2021, we described several techniques used by attackers to deliver malware through infected Microsoft Office files. In addition to exploits like CVE-2021-40444, these infected documents frequently abuse VBA (Visual Basic for Applications) to execute their techniques, regardless of the final payload. Attackers also often use extra layers of protection to evade signature-based detections, like constructing PowerShell scripts and WMI namespaces at runtime, as done by Emotet.

Microsoft Teams has exploded in popularity in recent years, going from 2 million users in 2017 to roughly 250 million today. That growth is due in no small part to the disruptions caused by the global pandemic, with employees working from home and still needing to collaborate.

The way in which we respond to email security risks needs to change. It’s no longer a case of reinforcing the network perimeter. The risks are now far more complex and nuanced, driven by human behaviour. From every conversation we have, Security and IT leaders tell us that people: These are a combination of both inbound and outbound threats but what they have in common is that they are human-activated risks – there’s a person behind each of them.

The General Data Protection Regulation (GDPR) established rules for handling personal information in the EU. And with strict penalties for noncompliance, it puts the onus on businesses like yours to know where all their GDPR-related data is located and how it’s treated.

Back in 2008, Microsoft added a new technology to PowerShell and named it Desired State Configuration or DSC. In essence, DSC is the framework that delivers and gives the user tools to maintain configuration. Desired State Configuration allows you to define your environment’s aspired state with a simple declarative syntax that has been added into the PowerShell script. It is then assigned to each target server in your environment.

The hybrid work environment is a significant and challenging change we have embraced in the past two years due to the pandemic. And Microsoft 365 continues to be the most commonly chosen cloud-based work suite with 50.2 million users around the world. With cloud-based products, all we need is internet connectivity. The people, files and data we work with travel with us, irrespective of where we work from. Microsoft 365 comes with a wide array of features to simplify collaboration and communication.

Exchange admins now have another exploit to deal with despite still reeling from a number of high profile attacks this year including ProxyLogon and ProxyShell. A new high severity Remote Code Execution (RCE) exploit for on-premise Exchange Servers has been published and is being actively exploited in the wild.

Several malware families are distributed via Microsoft Office documents infected with malicious VBA code, such as Emotet, IceID, Dridex, and BazarLoader. We have also seen many techniques employed by attackers when it comes to infected documents, such as the usage of PowerShell and WMI to evade signature-based threat detection. In this blog post, we will show three additional techniques attackers use to craft malicious Office documents.