Skip to content

Novel Microsoft Office Exploit Sees Success

Monreal IT Mar 22, 2024 2:52:04 PM
A 3-digit combo lock bathed in purple light sitting unlocked on a laptop keyboard.

Wild sightings of the remote access trojan, NetSupport RAT, have spiked in days past. The folks over at The Hacker News recently detailed how Perception Point, an Israeli cybersecurity company, is monitoring the new attack, dubbed “Operation PhantomBlu.”

More Sophisticated

This attack is a more sophisticated phishing campaign in (among other things) that it leverages a legitimate marketing platform, Brevo. They do this to circumnavigate sender reputation restrictions which often thwart typical phishing attempts. Here’s a summary of how the attack looks in real life:

“…hundreds of employees in various US-based organizations received email messages seemingly from an accounting service. Using social engineering, threat actors lure recipients into downloading the attached Office Word file (.docx) to view their “monthly salary report.”

The email contains further instructions to enter a password, provided in the email, and to enable editing. It then says to click on a printer icon within the Word document to “view the salary graph.” The printer icon is actually a ZIP file that contains other files necessary for the NetSupport RAT to perform its functions, including data exfiltration.

Using Legitimate Platforms

The willingness by attackers to leverage high-reputation service providers and platforms and to combine the abuse of OLE templates with social engineering demonstrates an increase in the desperation and sophistication of today’s attackers. Born out of necessity, in an almost natural response to the world’s increased cybersecurity, they’re becoming more resourceful, and their techniques more advanced, with each passing day. Now's a good time to look at partnering with an MSSP or MSSP+

Train Your People

An additional solution is to educate your staff. This pattern will continue for the foreseeable future, so the public and professionals utilizing IT infrastructure must remain vigilant and educated. If you don’t know what you’re looking for you’ll miss it, and you only have to miss once. For that reason, implementing a good security awareness training program is strongly advised. We recommend Huntress Security Awareness Training.