Skip to content
Threat Feed

Product

Microsoft Office

8 briefs RSS
low advisory

Microsoft Office 'Office Test' Registry Persistence Abuse

Attackers modify the Microsoft Office 'Office Test' Registry key to achieve persistence by specifying a malicious DLL that executes upon application startup.

Microsoft Office +4 persistence registry windows
2r 2t
medium advisory

XSL Script Execution via COM Interface in Microsoft Office

Adversaries may exploit Microsoft Office applications to execute malicious JScript or VBScript by leveraging the Microsoft.XMLDOM COM interface to process and transform XML documents using XSL scripts, potentially leading to initial access or defense evasion.

Microsoft Office +3 xsl-script com-interface office-macro
2r 5t
medium advisory

Suspicious Execution via Microsoft Office Add-Ins

This rule detects suspicious execution of Microsoft Office applications launching Office Add-Ins from unusual paths or with atypical parent processes, potentially indicating an attempt to gain initial access via a malicious phishing campaign.

Microsoft Office +5 office-addins phishing initial-access
3r 3t
medium advisory

Suspicious MS Office Child Process

Detects suspicious child processes of Microsoft Office applications, indicating potential exploitation or malicious macros for initial access, defense evasion, and execution.

Microsoft Office +4 initial-access defense-evasion execution discovery windows
2r 18t
medium advisory

Persistence via Visual Studio Tools for Office (VSTO) Add-ins

The Visual Studio Tools for Office (VSTO) add-ins can be abused by attackers to establish persistence in Microsoft Office applications by modifying registry keys.

Microsoft Office +1 persistence office vsto
2r 1t
medium advisory

Office Application Autorun Registry Key Modification

Adversaries modify Office application autostart extensibility point (ASEP) registry keys to achieve persistence and execute malicious code when Office applications are launched.

Microsoft Office attack.privilege-escalation attack.persistence attack.t1547.001
2r 1t
medium advisory

MS Office Macro Security Registry Modifications

Attackers may modify Microsoft Office registry settings related to macro security (AccessVBOM, VbaWarnings) to disable security warnings, enabling malicious macros for persistence and further compromise.

Microsoft Office office macro registry defense-evasion windows
2r 2t
medium advisory

Detection of Office Macro File Creation

This brief outlines a threat involving the creation of new Office macro files, potentially indicating malicious activity such as phishing or malware distribution, targeting Windows systems.

Microsoft Office initial-access phishing macro
2r 1t