Office Documents are Still Not Safe for Cybersecurity


Emotet is back. Word, Excel and other Office 365 files are still a critical cyberthreat vector. How do we stop it?

Although it was almost a week late, Tom finally received the pricing proposal from Tetome Supply.

He was excited to begin reviewing it. However, he knew from the quarterly cybersecurity courses that he should be cautious. So he carefully studied the email address and name of the sender and made sure that the attachment was a Word document and not a .exe file. He was further reassured by the email’s text, in which the sender thanked him for being patient and inquired about his new puppy.

Tom was sipping his morning coffee as he scanned the headlines from the day on his smartphone. A message appeared on the monitor informing Tom that the .doc had been created in iOS and that he must enable editing and content. Finally, he could see the contents of his document, but it also set off a chain reaction.

As far as Tom knew, the document only contained the pricing information. Nothing indicated that Emotet was downloaded from a compromised website by a Powershell command. Or that Trickbot had been used to backup Emotet.

It was too late. When Tom opened his laptop a few days later, a note informed him that all his files were encrypted and that the hackers would not unlock them until Tom paid $150,000 in bitcoin. The note was signed by Ryuk.

No time for a sigh of relief.

For the first half of 2019, malicious PDFs showed an edge over malicious Office 365 files, outpacing them 36,488 to 25,461. Then in 2020, the number of PDFs dipped 8% over the same period in 2019 while the number of malicious Microsoft Office files skyrocketed to 70,184 — a 176% increase.

Wired Magazine once labeled Emotet the most dangerous malware in the entire world. So no surprise that back in January 2021, law enforcement from every major country launched a massive effort to disrupt Emotet’s infrastructure found embedded in servers and computers in more than 90 countries. The effort resulted in the arrest of criminals and confiscation of equipment, cash, and even rows of gold bars accumulated by the gangs.

Indeed, utilization of Microsoft Office files in attacks fell. According to the 2022 SonicWall Cyber Threat Report, PDFs returned as the preferred attack vector with a 52% increase in malicious utilization and malicious Microsoft Office files decreased by 64%. This trend was a marked reversal and yet, there was no time for even a sigh of relief.

A graph showing the rise of never-seen-before malware variants.

Emotet attacks are back.

According to recent reports by Bleeping ComputerThreatpost and the Sans Technology Institute, within 10 months since the high-profile January 2021 takedown, Emotet is back with a vengeance. Threat actors are actively distributing infected Microsoft Office documents, ZIP archives and other files laden with Emotet code.

While it is still too early to see a data trend, anecdotally we see significant changes such as encryption of malware assets and new strategy that includes targeted phishing attacks that include reply-chain emails, shipping notices, tax documents, accounting reports or even holiday party invites.

In less than 10 months, previous eradication efforts were erased and now we’re back to square one.

How to protect from malicious Office 365 files.

Even with serious threats on the fly, there are several simple things you can do to protect yourself and others on your network. You can start by changing your Office 365 settings to disable scripts and macros and keeping your endpoints and operating system up to date with the latest patches for Windows.

You can set a business policy not to transfer documents and other files via email. You can also keep up with Microsoft’s regular distribution of patches and updates. We all get busy, but when we let our updates lapse, we’re literally allowing attacks targeting these vulnerabilities to succeed.

We can also take stronger steps to strengthen our resistance to attack. 2021 was another banner year for SonicWall’s patented Real-Time Deep Memory Inspection™ (RTDMI) technology which detected 442,151 total never-before-seen malware variants in 2021, a 65% increase over 2020’s count and an average of 1,211 per day.

A graph showing new malicious file type detections in 2021.

Capture ATP, 100% Captures, and 0% False Positives.

The best part about RTDMI is that it is integrated with SonicWall’s Capture Advanced Threat Protection (ATP). And in quarterly third-party testing by ICSA Labs, RTDMI identified 100% malicious threats without posting a single false positive for five quarters in a row.

Capture ATP with RTDMI leverages proprietary memory inspection, CPU instruction tracking and machine learning capabilities to recognize and mitigate never-before-seen cyberattacks, including threats that do not exhibit any malicious behavior and hide their weaponry via encryption — attacks that traditional sandboxes will likely miss.

This is particularly important in cases such as Tom’s, as Trickbot and Emotet both use encryption to hide their misdeeds. Emotet can also determine whether it’s running inside a virtual machine (VM) and will remain dormant if it detects a sandbox environment.

This post is also available in: Portuguese (Brazil) French German Spanish Italian

Amber Wolff
Senior Digital Copywriter | SonicWall
Amber Wolff is the Senior Digital Copywriter for SonicWall. Prior to joining the SonicWall team, Amber was a cybersecurity blogger and content creator, covering a wide variety of products and topics surrounding enterprise security. She spent the earlier part of her career in advertising, where she wrote and edited for a number of national clients.