top of page

Malicious office documents: The latest trend in cybercriminal exploitation

This article was originally written and posted on TechRepublic by R. Dallon Adams on September 9, 2021.

Cyberattacks have increased over the last year as criminals rake in record ransomware payments. According to a recent AtlasVPN report, malicious office documents are the latest trend in cybercriminal behavior; a timely strategy as companies pause office reentry plans and continue to work remotely due to COVID-19. So, how does this cyber-ruse work?

"Even though infecting office documents with malware has been established for a long time, it is still very successful at tricking people," said William Sword, Atlas VPN cybersecurity researcher, in a blog post about the findings. "After creating a malicious macro on office documents, threat actors send the infected file to thousands of people via email and wait for possible victims. Macro is a series of commands bundled together to accomplish a task automatically."

Remote work and malicious office documents

Overall, the Atlas VPN findings were determined using Netskope Threat Labs' July Cloud and Threat report and "various office documents from all platforms" including Microsoft Office 365, Google Docs, PDFs and others. According to AtlasVPN, malicious office documents represented nearly half of all malware downloads (43%) in the second quarter of this year, up from 34% in both the first quarter of this year and the fourth quarter of 2020. As Sword explained in the post, "harmful office files are popular among cybercriminals as they usually can evade many antivirus software from detection."

In the third quarter of 2020, malicious office documents represented 38% of all downloaded malware, according to Atlas VPN, compared to 14% in the second quarter of 2020 and 20% in the first quarter of last year. Discussing the surge between the second and third quarters of last year, Sword said this increase "was mainly influenced by remote work as cybercriminals found malware-infected documents to be effective."

WFH cybersecurity challenges

At the onset of COVID-19, companies switched to remote operations virtually overnight. The transition en masse presented new cybersecurity challenges as remote employees log on for the workday via their home networks and a mix of personal and company devices.

"When the shift to remote and hybrid work happened, the malware that was on office networks shifted to employees' networks at home," said Stephen Boyer, the chief technology officer at BitSight.

Compared to corporate networks, Boyer said home networks are exponentially more likely (3.5 times) to "have at least one family of malware," citing company research, adding that home networks are 7.5 times more likely to have a minimum of "five distinct families of malware."

"It's easier, and even trivial, for attackers to distribute malware when businesses are operating remotely, because employees don't have the same level of cybersecurity protections on their networks or devices," Boyer said. "The ability to detect and respond to [threats] on home networks is next to zero, so the level of sophistication and evasion needed for a successful malware attack is much lower than it was before the pandemic."

In recent months, a number of companies started their office reentry plans after more than a year of remote work, but the rise of the delta variant and surging cases has delayed these timelines. In the interim, companies may need to take proactive moves to shore up their extended networks; especially as attackers tailor their preferred attack methods.

According to a July Barracuda Networks report, the average organization will face more than 700 social engineering cyberattacks annually. Among social engineering attacks analyzed by Barracuda researchers, phishing represented 49%, followed by scamming (39%), BEC (10%) and extortion (2%).

"By inserting harmful macros into Word or PDF documents, threat actors have profited from victims falling for their phishing attacks," Sword said. "Cybersecurity education and training is the key to protect yourself or even your organization from such threats."

Additionally, Sword emphasized the importance of maintaining devices "from a technological standpoint" and ensuring these items are equipped with software protection and up to date.

68 views0 comments

Recent Posts

See All


Commenting has been turned off.
bottom of page