<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Microsoft Access - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/microsoft-access/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 18:12:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/microsoft-access/feed.xml" rel="self" type="application/rss+xml"/><item><title>Suspicious Execution via Microsoft Office Add-Ins</title><link>https://feed.craftedsignal.io/briefs/2024-01-office-addins/</link><pubDate>Wed, 03 Jan 2024 18:12:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-office-addins/</guid><description>This rule identifies suspicious execution patterns where Microsoft Office applications launch add-ins from unusual paths or with atypical parent processes, potentially indicating initial access via a malicious phishing MS Office Add-In.</description><content:encoded><![CDATA[<p>This detection rule identifies execution of common Microsoft Office applications (WINWORD.EXE, EXCEL.EXE, POWERPNT.EXE, MSACCESS.EXE, VSTOInstaller.exe) to launch an Office Add-In from a suspicious path or with an unusual parent process. The rule leverages process monitoring to detect when these Office applications load add-ins (wll, xll, ppa, ppam, xla, xlam, vsto) from locations like Temp directories, Downloads, or from unusual parent processes such as cmd.exe or powershell.exe. This activity may indicate an attempt to get initial access via a malicious phishing MS Office Add-In. The rule filters out known benign activities, such as Logitech software installations, VSTO uninstalls, and specific Rundll32.exe executions to minimize false positives, focusing on genuine anomalies indicative of malicious intent. The rule was last updated on 2026/04/07.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker sends a spearphishing email with a malicious Office document or a link to download one.</li>
<li>The victim opens the malicious Office document (e.g., Word, Excel, PowerPoint).</li>
<li>The Office application executes, triggering the download and execution of a malicious add-in (wll, xll, ppa, ppam, xla, xlam, vsto) from a suspicious location (e.g., %TEMP%, Downloads).</li>
<li>Alternatively, the user may be tricked into manually installing the add-in.</li>
<li>The add-in executes within the context of the Office application (WINWORD.EXE, EXCEL.EXE, POWERPNT.EXE, MSACCESS.EXE).</li>
<li>The malicious add-in performs malicious actions, such as downloading additional payloads, establishing command and control, or exfiltrating data.</li>
<li>The attacker leverages the compromised Office application and add-in for persistence and further exploitation.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful attack can lead to initial access within the targeted organization. The attacker can then leverage the compromised system for further malicious activities, including data theft, lateral movement, and the installation of ransomware. The use of Office Add-Ins allows attackers to bypass traditional security controls and blend in with legitimate Office activity. Because the rule detects add-in execution, the damage ranges from initial access to lateral movement and persistence depending on the attacker objectives.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Enable process creation logging in Windows via Sysmon or Windows event logging to capture process execution details. This will activate the rules below.</li>
<li>Deploy the Sigma rules provided to your SIEM to detect suspicious Office add-in execution and tune the rules for your specific environment.</li>
<li>Block execution of Office add-ins from common temporary directories like <code>%TEMP%</code> and <code>Downloads</code> using application control policies. This mitigates the risk highlighted in the &quot;Attack Chain&quot; section.</li>
<li>Regularly review and audit installed Office add-ins to identify and remove any unauthorized or suspicious add-ins.</li>
<li>Monitor process execution for unusual parent-child relationships involving Office applications, as highlighted in the Sigma rules and the attack chain.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>office-addins</category><category>initial-access</category><category>phishing</category></item></channel></rss>