Mar 27, 2025The Hacker NewsVulnerability / Threat IntelligenceHackers have long used Word and Excel documents as delivery vehicles for malware, and in 2025, these tricks are far from outdated. From phishing schemes to zero-click exploits, malicious Office files are still one of the easiest ways into a victim's system.Here are the top three Microsoft Office-based exploits still making the rounds this year and what you need to know to avoid them.1. Phishing in MS Office: Still Hackers' FavoritePhishing attacks using Microsoft Office files have been around for years, and they're still going strong. Why? Because they work, especially in business environments where teams constantly exchange Word and Excel documents.Attackers know that people are used to opening Office files, especially if they come from what looks like a colleague, a client, or a partner. A fake invoice, a shared report, or a job offer: it doesn't take much to convince someone to click. And once the file is open, the attacker has their chance.Phishing with Office files often aims to steal login credentials. These documents might include:Links to fake Microsoft 365 login pagesPhishing portals that mimic company tools or servicesRedirect chains that eventually land on credential-harvesting sitesIn this ANY.RUN malware analysis session, an Excel file contains malicious phishing link:View analysis session with Excel fileExcel file containing malicious link detected inside ANY.RUN sandboxWhen clicked, the victim is taken to a webpage that shows a Cloudflare "Verify you're a human" check. CloudFlare verification passed with ANY.RUN's automated interactivityAfter clicking through, there's another redirect; this time to a fake Microsoft login page.Malicious link to fake Microsoft login page with random charactersAt first glance, it might look real. But inside the ANY.RUN sandbox, it's easy to spot red flags. The Microsoft login URL isn't official; it's filled with random characters and clearly doesn't belong to Microsoft's domain. Give your team the right tool to detect, investigate, and report threats faster in a secure environment. Get a trial of ANY.RUN to access advanced malware analysis This fake login page is where the victim unknowingly hands over their login credentials straight to the attacker.Attackers are also getting more creative. Lately, some phishing documents come with QR codes embedded in them. These are meant to be scanned with a smartphone, sending the victim to a phishing website or triggering a malware download. However, they can be detected and analyzed with tools like ANY.RUN sandbox too.2. CVE-2017-11882: The Equation Editor Exploit That Won't DieFirst discovered in 2017, CVE-2017-11882 is still exploited today, in environments running outdated versions of Microsoft Office.This vulnerability targets the Microsoft Equation Editor - a rarely used component that was part of older Office builds. Exploiting it is dangerously simple: just opening a malicious Word file can trigger the exploit. No macros, no extra clicks needed.In this case, the attacker uses the flaw to download and run a malware payload in the background, often through a remote server connection. In our analysis session, the payload delivered was Agent Tesla, a known info-stealer used to capture keystrokes, credentials, and clipboard data.View analysis session with malicious payloadPhishing email containing malicious Excel attachmentIn the MITRE ATT&CK section of this analysis, we can see how ANY.RUN sandbox detected this specific technique used in the attack:Exploitation of Equation Editor detected by ANY.RUNAlthough Microsoft patched the vulnerability years ago, it's still useful for attackers targeting systems that haven't been updated. And with macros disabled by default in newer Office versions, CVE-2017-11882 has become a fallback for cybercriminals who want guaranteed execution.3. CVE-2022-30190: Follina's Still in the GameThe Follina exploit (CVE-2022-30190) continues to be a favorite among attackers for one simple reason: it works without macros and doesn't require any user interaction beyond opening a Word file.Follina abuses the Microsoft Support Diagnostic Tool (MSDT) and special URLs embedded in Office documents to execute remote code. That means just viewing the file is enough to launch malicious scripts, often PowerShell-based, that contact a command-and-control server.View analysis session with FollinaFollina technique detected inside ANY.RUN sandboxIn our malware analysis sample, the attack went a step further. We observed the "stegocampaign" tag, which indicates the use of steganography - a technique where malware is hidden inside image files. Use of Steganography in the attackThe image is downloaded and processed using PowerShell, extracting the actual payload without raising immediate alarms.Image with malicious payload analyzed inside ANY.RUNTo make matters worse, Follina is often used in multi-stage attack chains, combining other vulnerabilities or payloads to increase the impact.What This Means for Teams Using MS OfficeIf your team relies heavily on Microsoft Office for day-to-day work, the attacks mentioned above should be a wake-up call.Cybercriminals know Office files are trusted and widely used in business. That's why they continue to exploit them. Whether it's a simple Excel sheet hiding a phishing link or a Word document silently running malicious code, these files can pose serious risks to your organization's security.Here's what your team can do:Review how Office documents are handled internally; limit who can open or download files from outside sources.Use tools like ANY.RUN sandbox to inspect suspicious files in a safe, isolated environment before anyone on your team opens them.Update all Office software regularly and disable legacy features like macros or the Equation Editor where possible.Stay informed about new exploit techniques tied to Office formats so your security team can respond quickly.Analyze Mobile Malware with ANY.RUN's New Android OS SupportThe threat doesn't stop at Office files. Mobile devices are now a key target, and attackers are spreading malware through fake apps, phishing links, and malicious APKs.This means a growing attack surface for businesses and the need for broader visibility.With ANY.RUN's new Android OS support, your security team can now:Analyze Android malware in a real mobile environmentInvestigate suspicious APK behavior before it hits production devicesRespond to mobile threats faster and with more claritySupport incident response across both desktop and mobile ecosystemsIt's a big step toward complete coverage and it's available on all plans, including free.Start your first Android threat analysis today and give your security analysts the visibility they need to protect your mobile attack surface.Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE