{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/microsoft-access/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Microsoft Word","Microsoft Excel","Microsoft PowerPoint","Microsoft Access"],"_cs_severities":["medium"],"_cs_tags":["office-addins","initial-access","phishing"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection rule identifies execution of common Microsoft Office applications (WINWORD.EXE, EXCEL.EXE, POWERPNT.EXE, MSACCESS.EXE, VSTOInstaller.exe) to launch an Office Add-In from a suspicious path or with an unusual parent process. The rule leverages process monitoring to detect when these Office applications load add-ins (wll, xll, ppa, ppam, xla, xlam, vsto) from locations like Temp directories, Downloads, or from unusual parent processes such as cmd.exe or powershell.exe. This activity may indicate an attempt to get initial access via a malicious phishing MS Office Add-In. The rule filters out known benign activities, such as Logitech software installations, VSTO uninstalls, and specific Rundll32.exe executions to minimize false positives, focusing on genuine anomalies indicative of malicious intent. The rule was last updated on 2026/04/07.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker sends a spearphishing email with a malicious Office document or a link to download one.\u003c/li\u003e\n\u003cli\u003eThe victim opens the malicious Office document (e.g., Word, Excel, PowerPoint).\u003c/li\u003e\n\u003cli\u003eThe Office application executes, triggering the download and execution of a malicious add-in (wll, xll, ppa, ppam, xla, xlam, vsto) from a suspicious location (e.g., %TEMP%, Downloads).\u003c/li\u003e\n\u003cli\u003eAlternatively, the user may be tricked into manually installing the add-in.\u003c/li\u003e\n\u003cli\u003eThe add-in executes within the context of the Office application (WINWORD.EXE, EXCEL.EXE, POWERPNT.EXE, MSACCESS.EXE).\u003c/li\u003e\n\u003cli\u003eThe malicious add-in performs malicious actions, such as downloading additional payloads, establishing command and control, or exfiltrating data.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised Office application and add-in for persistence and further exploitation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to initial access within the targeted organization. The attacker can then leverage the compromised system for further malicious activities, including data theft, lateral movement, and the installation of ransomware. The use of Office Add-Ins allows attackers to bypass traditional security controls and blend in with legitimate Office activity. Because the rule detects add-in execution, the damage ranges from initial access to lateral movement and persistence depending on the attacker objectives.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable process creation logging in Windows via Sysmon or Windows event logging to capture process execution details. This will activate the rules below.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided to your SIEM to detect suspicious Office add-in execution and tune the rules for your specific environment.\u003c/li\u003e\n\u003cli\u003eBlock execution of Office add-ins from common temporary directories like \u003ccode\u003e%TEMP%\u003c/code\u003e and \u003ccode\u003eDownloads\u003c/code\u003e using application control policies. This mitigates the risk highlighted in the \u0026quot;Attack Chain\u0026quot; section.\u003c/li\u003e\n\u003cli\u003eRegularly review and audit installed Office add-ins to identify and remove any unauthorized or suspicious add-ins.\u003c/li\u003e\n\u003cli\u003eMonitor process execution for unusual parent-child relationships involving Office applications, as highlighted in the Sigma rules and the attack chain.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:12:00Z","date_published":"2024-01-03T18:12:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-office-addins/","summary":"This rule identifies suspicious execution patterns where Microsoft Office applications launch add-ins from unusual paths or with atypical parent processes, potentially indicating initial access via a malicious phishing MS Office Add-In.","title":"Suspicious Execution via Microsoft Office Add-Ins","url":"https://feed.craftedsignal.io/briefs/2024-01-office-addins/"}],"language":"en","title":"CraftedSignal Threat Feed - Microsoft Access","version":"https://jsonfeed.org/version/1.1"}