Photo Credit: Twitter/ Microsoft
Microsoft issued a warning on Friday regarding a spam campaign that seems to abuse a security vulnerability in its productivity suite - Office. The campaign involves sending malicious documents that can infect users when they simply open the attached RTF document. As of now, the spam campaign is targeting European users. Microsoft's Security Intelligence account made the announcement in a series of tweets on Friday afternoon.
According to Microsoft's security researchers, the ongoing spam campaign includes RTF documents that exploit the Microsoft Office and Wordpad CVE-2017-11882 vulnerability. Users can be infected by simply opening the attached document.
An active malware campaign using emails in European languages distributes RTF files that carry the CVE-2017-11882 exploit, which allows attackers to automatically run malicious code without requiring user interaction. pic.twitter.com/Ac6dYG9vvw— Microsoft Security Intelligence (@MsftSecIntel) June 7, 2019
The CVE-2017-11882 vulnerability enables RTF and Word documents to execute commands right when they're opened. The vulnerability was patched back in 2017, but Microsoft claims the company still sees the exploit being used in spam campaigns which have increased in the last several weeks. Microsoft is recommending users to apply security updates.
Microsoft said that when a user opens an infected attachment, the file will try to execute a number of scripts written in VBScript, PowerShell, PHP, and others to download the 'payload'. These scripts are generally downloaded from a Pastebin repository.
According to Microsoft, the 'payload' that's download on an infected user's system is an executable backdoor trojan, programmed to connect to a malicious domain. Microsoft is asking all Windows users to install the security update for this vulnerability as soon as possible.
The malicious domain has been taken down, but Microsoft says there's always a possible risk of future campaigns that may use a similar tactic to exploit the vulnerability.
In case you've already applied the November 2017 patch, you're already protected from this vulnerability. This exploit has been used several times, in an effort to target users who may have forgotten to install the software update.