Cyber attackers have been utilizing Word and Excel documents as a means to deliver malware for a long time, and this tactic remains effective even in 2025. These malicious files can be used in various types of attacks, including phishing schemes and zero-click exploits, making them a straightforward way for attackers to gain access to a victim’s system.
The following are the top three Microsoft Office-based exploits that are still prevalent this year, along with the necessary information to help you avoid them.
1. Phishing in MS Office: A Persistent Threat
Phishing attacks that utilize Microsoft Office files have been around for years and continue to be a significant threat. The reason for their persistence is simple: they are effective, especially in business environments where teams frequently exchange Word and Excel documents.
Attackers are aware that people are accustomed to opening Office files, particularly if they appear to come from a colleague, client, or partner. A fake invoice, a shared report, or a job offer can be enough to convince someone to click on a malicious link. Once the file is opened, the attacker has the opportunity to carry out their malicious intentions.
Phishing attacks using Office files often aim to steal login credentials and may include:
- Links to fake Microsoft 365 login pages
- Phishing portals that mimic company tools or services
- Redirect chains that ultimately lead to credential-harvesting sites
In this ANY.RUN malware analysis session, an Excel file contains a malicious phishing link:
View analysis session with Excel file
 |
| Excel file containing malicious link detected inside ANY.RUN sandbox |
When clicked, the victim is redirected to a webpage that displays a Cloudflare “Verify you’re a human” check.
 |
| CloudFlare verification passed with ANY.RUN’s automated interactivity |
After clicking through, there’s another redirect; this time to a fake Microsoft login page.
 |
| Malicious link to fake Microsoft login page with random characters |
At first glance, it may seem legitimate. However, inside the ANY.RUN sandbox, it’s easy to identify red flags. The Microsoft login URL is not official; it’s filled with random characters and doesn’t belong to Microsoft’s domain.
Provide your team with the right tool to detect, investigate, and report threats more efficiently in a secure environment.
Get a trial of ANY.RUN to access advanced malware analysis
This fake login page is where the victim unknowingly hands over their login credentials to the attacker.
Attackers are becoming increasingly creative. Recently, some phishing documents have included embedded QR codes. These QR codes are meant to be scanned with a smartphone, sending the victim to a phishing website or triggering a malware download. However, they can also be detected and analyzed with tools like ANY.RUN sandbox.
2. CVE-2017-11882: The Equation Editor Exploit That Refuses to Die
First discovered in 2017, CVE-2017-11882 is still being exploited today, primarily in environments running outdated versions of Microsoft Office.
This vulnerability targets the Microsoft Equation Editor, a rarely used component that was part of older Office builds. Exploiting it is relatively simple: just opening a malicious Word file can trigger the exploit. No macros or extra clicks are needed.
In this case, the attacker uses the flaw to download and run a malware payload in the background, often through a remote server connection.
In our analysis session, the payload delivered was Agent Tesla, a known info-stealer used to capture keystrokes, credentials
Source Link
