In recent years companies and Microsoft have increased hardening against malicious Office documents. Hence, we started a quest for unexplored Office features that could be abused for phishing. After various research directions, we identified “code side-loading in signed documents” as an innovative approach for phishing.
We identified vulnerabilities in various Microsoft signed Office add-in’s and believe that there are many more unidentified. For example, the MS Office installation comes with signed Microsoft Analysis ToolPak Excel add-ins (.XLAM file type) which are vulnerable to multiple code injections (CVE-2021-28449). An attacker can abuse the provided file (LOLFile) and embed malicious code without invalidating the signature for use in phishing scenarios.
This presentation will cover the process of finding, exploiting and weaponising this class of vulnerabilities and the complexities in mitigations.
