{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/ms-office/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.1,"id":"CVE-2026-41102"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Office PowerPoint"],"_cs_severities":["medium"],"_cs_tags":["access-control","spoofing","ms-office"],"_cs_type":"threat","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eCVE-2026-41102 describes an improper access control vulnerability affecting Microsoft Office PowerPoint. An authorized, local attacker can exploit this vulnerability to perform spoofing actions. The vulnerability exists due to insufficient checks on access rights within the application. Successful exploitation could allow the attacker to potentially mislead users or gain unauthorized privileges within the PowerPoint environment. Microsoft has released a patch to address this vulnerability, and users are urged to update their software to the latest version. This issue was publicly disclosed and assigned a CVSS v3.1 score of 7.1, indicating a high severity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains local access to a system with a vulnerable version of Microsoft PowerPoint installed.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious PowerPoint file or modifies an existing one.\u003c/li\u003e\n\u003cli\u003eThe crafted file leverages the improper access control vulnerability (CVE-2026-41102) to manipulate application behavior.\u003c/li\u003e\n\u003cli\u003eA legitimate user opens the malicious PowerPoint file.\u003c/li\u003e\n\u003cli\u003eDue to the access control flaw, the attacker\u0026rsquo;s crafted content spoofs legitimate elements of the PowerPoint interface or functionality.\u003c/li\u003e\n\u003cli\u003eThe spoofed elements mislead the user into performing unintended actions, such as providing credentials or executing malicious code.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective of spoofing application behavior for malicious purposes.\u003c/li\u003e\n\u003cli\u003eThe impact is limited to the local machine and user context.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-41102 allows a local attacker to spoof elements within Microsoft PowerPoint. This spoofing could mislead users into divulging sensitive information or performing actions that compromise their local system. While the vulnerability does not lead to remote code execution or denial of service, the potential for social engineering attacks makes it a significant concern. The CVSS v3.1 base score of 7.1 reflects the high confidentiality and integrity impact on the local system.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security update released by Microsoft to patch CVE-2026-41102 in Microsoft Office PowerPoint.\u003c/li\u003e\n\u003cli\u003eEducate users about the risks of opening untrusted PowerPoint files from unknown sources.\u003c/li\u003e\n\u003cli\u003eMonitor endpoint logs for suspicious PowerPoint activity using the Sigma rule provided to detect potential exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-12T18:52:14Z","date_published":"2026-05-12T18:52:14Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-41102-powerpoint-spoofing/","summary":"CVE-2026-41102 is an improper access control vulnerability in Microsoft Office PowerPoint that allows an authorized attacker to perform spoofing locally.","title":"CVE-2026-41102: Microsoft PowerPoint Improper Access Control Vulnerability Leading to Local Spoofing","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-41102-powerpoint-spoofing/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Microsoft Office AddIns","Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel","CrowdStrike FDR"],"_cs_severities":["high"],"_cs_tags":["persistence","ms-office","add-ins","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eThe rule identifies potential persistence mechanisms employed by attackers leveraging Microsoft Office add-ins. It focuses on the creation of specific file types, including \u003ccode\u003e.wll\u003c/code\u003e, \u003ccode\u003e.xll\u003c/code\u003e, \u003ccode\u003e.ppa\u003c/code\u003e, \u003ccode\u003e.ppam\u003c/code\u003e, \u003ccode\u003e.xla\u003c/code\u003e, and \u003ccode\u003e.xlam\u003c/code\u003e, in directories such as \u003ccode\u003eC:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Word\\\\Startup\\\\*\u003c/code\u003e, \u003ccode\u003eC:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\AddIns\\\\*\u003c/code\u003e, and \u003ccode\u003eC:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Excel\\\\XLSTART\\\\*\u003c/code\u003e. The detection logic also incorporates Crowdstrike specific conditions using NT Object paths. This technique allows malicious actors to execute code each time the corresponding Microsoft Office application starts, achieving persistence on the system. This activity matters because attackers can gain a foothold within an organization and maintain unauthorized access even after system reboots.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system, potentially through phishing or exploitation of a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a user\u0026rsquo;s profile on the targeted Windows system.\u003c/li\u003e\n\u003cli\u003eThe attacker writes a malicious Office add-in file (e.g., a \u003ccode\u003e.wll\u003c/code\u003e, \u003ccode\u003e.xll\u003c/code\u003e, \u003ccode\u003e.ppa\u003c/code\u003e, \u003ccode\u003e.ppam\u003c/code\u003e, \u003ccode\u003e.xla\u003c/code\u003e, or \u003ccode\u003e.xlam\u003c/code\u003e file) to one of the Office startup directories, such as \u003ccode\u003eC:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Word\\\\Startup\\\\*\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker may use a dropper or installer to place the malicious file in the startup directory.\u003c/li\u003e\n\u003cli\u003eThe system restarts or the user launches the corresponding Microsoft Office application (Word, Excel, PowerPoint).\u003c/li\u003e\n\u003cli\u003eThe Office application loads the malicious add-in file from the startup directory.\u003c/li\u003e\n\u003cli\u003eThe malicious add-in executes its payload, providing the attacker with persistent access to the system.\u003c/li\u003e\n\u003cli\u003eThe attacker can now perform various malicious activities, such as data exfiltration, lateral movement, or further exploitation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to persistent unauthorized access to the compromised system. This allows the attacker to maintain a foothold within the network, potentially leading to data theft, disruption of services, or further propagation of malware. The compromised system could be leveraged as a staging point for lateral movement or for launching attacks against other internal resources.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon Event ID 11 (File Create) logging to capture file creation events, especially in Office startup directories, to activate the detection logic.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Persistence via Microsoft Office AddIns File Creation\u0026rdquo; to your SIEM and tune for your environment to detect malicious add-in creation.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for Microsoft Office applications (WINWORD.EXE, EXCEL.EXE, POWERPNT.EXE) loading add-ins from untrusted locations.\u003c/li\u003e\n\u003cli\u003eRestrict write access to Office startup directories and add-in loader locations to prevent unauthorized file creation.\u003c/li\u003e\n\u003cli\u003eInvestigate alerts related to file creations described by \u003ccode\u003efile.path\u003c/code\u003e and \u003ccode\u003efile.extension\u003c/code\u003e in the rule query.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-12T18:39:25Z","date_published":"2026-05-12T18:39:25Z","id":"https://feed.craftedsignal.io/briefs/2026-05-persistence-office-addins/","summary":"This rule detects attempts to establish persistence on Windows endpoints by abusing Microsoft Office add-ins through the creation of malicious files in Office startup directories.","title":"Persistence via Microsoft Office Add-Ins File Creation","url":"https://feed.craftedsignal.io/briefs/2026-05-persistence-office-addins/"}],"language":"en","title":"CraftedSignal Threat Feed — Ms-Office","version":"https://jsonfeed.org/version/1.1"}