You may have heard the advice from cybersecurity experts to “disable your macros and/or be careful when manually enabling macros when opening Word documents” . In the past, this has prevented malware disguised as a Word document from infiltrating your personal information secured on your computer.
Unfortunately, as we learn how to stop today’s cyberattacks, hackers learn how to build tomorrow’s.
Microsoft PowerPoint holds a feature which executes a command in response to mouse-over action—and it doesn’t take an Office genius to set one up. Hackers are utilizing the “Run Macros” option by creating malicious PowerShell code and embedding it into the PowerPoint.
How it Happens
These harmful PowerPoints have typically been attached to emails with the subject line “Purchase Order #XXXXX” or “Order Confirmation,” mocking an invoice. The user will then see a screen that says “Loading…Please wait” before being redirected to PowerPoint.
By default, however, Office will prompt you before opening the file. The pop-up box indicates that the file may contain malware and asks the user if they would like to enable the content. If they select to enable all content, the PowerShell script will run and seek out the user’s information, specifically banking and financial data.
Out of caution, we recommend all clients enable the “Office Protected View” setting to ensure you will see the pop-up box described above when exposed to potentially malicious software. Microsoft also runs Windows Defender and Office 365 Advanced Threat Protection to detect the threat and remove it if necessary.