27.03.2025
2 min
619
In 2025, Word and Excel remain the favorite tools of cybercriminals. From phishing attacks to click-free exploits, opening a regular document can be the first step to a full system hack.
1. Microsoft Office Phishing: A Classic That Still Works
Despite years of struggle, phishing through Word and Excel documents remains the most effective attack method.
Hackers skillfully disguise malicious files as regular emails:
The victim opens the Excel file → clicks on the link → goes through Cloudflare verification → lands on a fake Microsoft login page. There, they enter their username and password, which are instantly sent to the attackers.
ANY.RUN Sandbox allows you to detect such attacks before they affect end users.
2. CVE-2017-11882: Vulnerability that survived patches
This exploit, which works through the Equation Editor, affects older versions of Microsoft Office.
The user simply opens the file – and the malicious code is executed automatically, without macros or additional actions.
The ANY.RUN example was Agent Tesla, a malware that steals passwords, keystrokes and the clipboard.
Despite the patch, many systems have not yet been updated, so this vulnerability lives on – like an old lock that everyone forgot to replace.
3. CVE-2022-30190 (“Follina”): Bomb without a click
This exploit uses MSDT (Microsoft Support Diagnostic Tool) and embedded URLs.
Open the document – and immediately launch a PowerShell script that connects to the attacker’s server.
What is particularly dangerous is that:
– no macros are required;
– no clicking inside;
– the attack may contain steganography — code hidden in pictures.
What to do:
– Restrict opening documents from the outside;
– Check suspicious files in sandbox environments (ANY.RUN);
– Disable old Office features (macros, Equation Editor);
– Update software constantly;
– Train teams to recognize phishing and anomalous actions.
