Cybersecurity researcher Nao_sec discovered a malicious Word document 05-2022-0438.doc that was uploaded to VirusTotal by a user from Belarus. The document uses the remote template function to extract the HTML and then uses the “ms-msdt” schema to execute the PowerShell code. The issue affects Microsoft Office, Office 2016, and Office 2021. Cybersecurity expert Kevin Beaumont has published a vulnerability analysis.
“The document uses Word’s remote template feature to retrieve an HTML file from a remote server that uses the ms-msdt MSProtocol URI scheme to load code and execute PowerShell scripts,” Beaumont wrote in the report.
“The first problem is that Microsoft Word executes code through the ms-msdt support tool even when macros are disabled. Protected View starts, but if you change the document to RTF format, Protected View is enabled even without opening the document (via the preview tab in Explorer),” the researcher added.
Recall that Microsoft began blocking the execution of VBA macros in five Microsoft Office applications. Starting April 2022, Microsoft Access, Excel, PowerPoint, Visio, and Word cannot enable macro scripts in untrusted documents downloaded from the Internet.
Microsoft also increased the amount of payouts for finding “significant” vulnerabilities in Office 365 as part of the Vulnerability Bounty Program.