Suspicious Execution via Microsoft Office Add-Ins

Attackers are increasingly leveraging malicious Microsoft Office Add-Ins to gain initial access and persistence on victim systems. These add-ins, often delivered through phishing campaigns, contain embedded malicious code. This detection identifies unusual execution patterns, such as Office applications (WINWORD.EXE, EXCEL.EXE, POWERPNT.EXE, MSACCESS.EXE, VSTOInstaller.exe) launching add-ins (wll, xll, ppa, ppam, xla, xlam, vsto) from suspicious paths like Temp or Downloads directories, or with atypical parent processes (explorer.exe, OpenWith.exe, cmd.exe, powershell.exe). The detection logic filters out known benign activities to minimize false positives, focusing on anomalies indicative of malicious intent, such as installations of Logitech software. This activity matters because successful exploitation can lead to arbitrary code execution, data theft, and further compromise of the victim’s network.

Attack Chain

1. A user receives a phishing email containing a malicious Microsoft Office document.
2. The user opens the document, which prompts them to enable macros or install an add-in.
3. The malicious add-in (wll, xll, ppa, ppam, xla, xlam, vsto) is downloaded from a remote server or dropped into a suspicious directory, such as %TEMP% or %APPDATA%.
4. The user executes an Office application (WINWORD.EXE, EXCEL.EXE, POWERPNT.EXE, MSACCESS.EXE), which loads the malicious add-in.
5. The malicious add-in executes arbitrary code, potentially downloading and executing a second-stage payload.
6. The add-in may establish persistence by modifying registry keys or creating scheduled tasks.
7. The attacker gains initial access to the system and can perform reconnaissance, lateral movement, and data exfiltration.
8. The attacker achieves their objective, which could include data theft, ransomware deployment, or intellectual property theft.

Impact

A successful attack can lead to complete system compromise, data theft, and potential ransomware deployment. Organizations across all sectors are at risk, particularly those with a high volume of email traffic. The use of malicious Office Add-Ins provides attackers with a persistent foothold within the victim’s environment, allowing for long-term data collection and disruption of business operations. This can lead to significant financial losses, reputational damage, and legal liabilities.

Recommendation

• Deploy the Sigma rule Office Add-In Loaded From Suspicious Path to detect add-ins loaded from temporary or download directories based on process.args and process.name.
• Deploy the Sigma rule Office Add-In Loaded By Suspicious Parent to detect add-ins loaded by cmd.exe or powershell.exe based on process.parent.name.
• Investigate any instances of VSTOInstaller.exe executing with the /Uninstall argument, as this may indicate suspicious activity, correlating with the exclusion rule in the provided query.
• Monitor for Office applications launching add-ins with parent processes of explorer.exe or OpenWith.exe using process creation logs and the provided query logic.
• Implement stricter email filtering to prevent phishing emails containing malicious Office documents from reaching end-users.