New Exploit Vector Uses Microsoft Word Link Auto-Update Feature

SANS-ISC researcher Xavier Mertens recently discovered a malicious document designed to exploit a feature within Microsoft Word that automatically updates embedded links upon opening without additional user interaction. An embedded link within the document points to an external URL that hosts a malicious RTF file. This file attempts to exploit CVE-2017-0199, a critical vulnerability within several Microsoft products, by downloading a JavaScript payload from a different URL. The payload then issues a Powershell command to download a portable executable file of a remote access trojan. The NJCCIC recommends users and administrators of Microsoft Word versions up to and including Word 2016 review the SANS-ISC analysis and consider disabling the automatic link update feature. Additionally, apply the Principle of Least Privilege to all user accounts to prevent unauthorized installation of software. Educate all end users on the latest email-based threats and inform them that legitimate accounts can be compromised or spoofed and used to send malicious content. Also, encourage employees to contact email senders via an alternate method to confirm the legitimacy of files before opening.