How to better protect against malware from Office documents

Blog Cybersecurity

85% of all German companies use Microsoft Office as their office software of choice. Many documents are also created, edited and shared privately with Word & Co. But cybercriminals also like to use Office programs – to spread malware. We tell you how you can better protect yourself against them.

How cybercriminals can abuse Office documents

Office documents are popular gateways for cybercriminals. Not only because of the widespread use of Microsoft programs, but also because active content can be included in Office documents. These active contents are ultimately small programs. And cybercriminals can use them for their own purposes. For example, such a program can ensure that malware is downloaded from the Internet.

Some companies and institutions take drastic protective measures against such attack possibilities. For example, they automatically delete all e-mails with open Office documents attached. Or all e-mails whose attached Office documents contain active content. In contrast, PDF documents are mostly accepted as attachments.

The protective measures recommended below do not go that far. Therefore, you also play an essential part. Your eye, your attention, or even just your gut feeling that something is wrong with a document or an email attachment can prevent major damage. So stay alert.

Action 1: Distrust all Office documents that are not specifically announced

What is the ideal case when you receive malware in the form of an Office document? You recognize the document as suspicious and don’t open it. You have already caught the possible attack – bravo!
You should therefore treat all incoming Office documents critically. Especially surprising invoices, reminders or order confirmations that arrive by e-mail.

Action 2: Do not open documents with administrator rights

What are administrator rights?

Computers must be managed, set up and updated. This requires deep intervention in the system. Whoever takes on this task is considered an administrator – and needs unrestricted access rights to all systems of the computer. These unrestricted access rights are therefore also called administrator rights.

What is problematic about administrator rights?

Because administrator rights allow unrestricted access to a computer, their misuse can cause enormous damage. It is enough for a malicious program to run with administrator rights. Because then it can make any changes it wants to your computer.

What to do?

  • As a matter of principle, do not work with administrator rights, but in a user account with deliberately restricted access rights. Make sure that the accounts have different passwords to avoid confusion. Here you will find instructions on how to create a user account on a PC running Windows and on a Mac.
  • Do not open Office documents (or any other files) with administrator privileges.
  • If you get a message that you need administrator rights when opening an Office document, cancel the operation immediately. Do not open the document under any circumstances.

Measure 3: Disable macros

What are macros?

The term macro comes from software programming. There, macros are small subroutines that are often used like building blocks. They usually contain the program code of multi-step processes – which then no longer have to be programmed manually step by step.
Because the principle is so practical, Microsoft has made it usable in Office programs for users without programming knowledge. Here, multi-step processes can simply be recorded, saved as a macro and then repeated as often as required. For example, if the respective date is to be displayed in several places in a document. The corresponding macro updates it automatically when the document is opened or saved.

Why are macros problematic?

Macros are small programs that are included in an Office document and are executed automatically. In everyday office life, this is helpful if the macro fulfills a desired function – such as the date update mentioned above.

It becomes problematic when a macro has been programmed by cybercriminals. Because then their program is executed automatically. What it does depends on the cybercriminals’ goals. Maybe it just opens countless new documents. Or it downloads malicious programs from the Internet that encrypt your computer. Virtually anything that can be programmed is possible.

What to do?

Usually you don’t have to do anything, because macros are disabled by default in Office programs. This is true for both PCs and Macs. Our advice: Play it safe and check that macros are disabled on your end.
Here you can find Microsoft’s instructions for disabling and enabling macros for PC and for Mac.

Action 4: Do not activate macros manually either

As I said, macros are disabled by default in current Office programs. But often they can be enabled manually. We advise: Don’t do it! And if you are asked to do so? Then be sure to consult the person responsible for IT.
Cybercriminals are sometimes very clever at getting you to activate macros. For example, the Emotet Trojan, which has been feared for years, sent out extremely authentic-looking e-mails, most of which contained an Office attachment. The text of the email explicitly asked to activate the macros in the attached document. Only then could the malicious code hidden in the documents become active. Even though the Emotet infrastructure was dismantled in early 2021, this attack tactic can still be used. Therefore, we advise the utmost caution.

Action 5: Do not activate OLE manually either

What is OLE?

Microsoft’s OLE stands for Object Linking and Embedding, i.e. the linking or embedding of objects. Such objects can include, for example, graphics, videos and tables. If, for example, a table is linked in a Word document, it can be edited in Excel. If, on the other hand, this table is embedded in Word, it can be edited directly in Word. In order for the embedded objects to be usable, a corresponding program code must be integrated into the document. For cybercriminals, this means an opportunity to embed malicious code.

Why are macros problematic?

OLE objects manipulated by cybercriminals mostly have to be clicked to become active. Various tricks are used to do this. For example, the object may look like a field in which they are supposed to enter a security code. Or in the accompanying email, you are prompted to take appropriate actions.

What to do?

Do not enable embedded objects. If you are asked to do just that, be sure to consult us.

Action 6: Open documents in sandboxes

What is a sandbox?

In IT, sandbox refers to a separate, isolated area within a system. Actions or programs executed in this sandbox remain limited to it and do not affect the overall system. If the sandbox is closed, all its contents are deleted.

Where can I find such a sandbox?

Sandboxes are already available in some operating systems. On Macs, most programs even run in their own sandbox, including newer Office programs.
In Windows 10 Enterprise, Windows 10 Professional or Windows 10 Education in versions 1809 or higher, sandboxes are also included. Unfortunately, they are disabled by default. You can find out how to activate them, for example, at Microsoft.
If your operating system does not have a sandbox integrated, you can install a separate program for this purpose. Many virus scanners also have a sandbox.

Since no protection is 100%

No technology is infallible, this also applies to sandboxes. We therefore recommend using them prudently and always taking all the measures already mentioned above in addition.

Action 7: When in doubt, ask professionals

You are a Perseus member, distrust an Office document and don’t want to take any risks? Then simply forward us the document and we will review it for you.

You are not a Perseus member yet? Then contact your company’s IT department… and also suggest that a procedure be established for handling Office documents. Especially for anyone who comes into contact with potentially critical documents such as supposed job applications or invoices.