SubDoc Microsoft Word Feature Vulnerable to Exploitation

Researchers at Rhino Security Labs recently discovered that a Microsoft Word feature, dubbed subDoc, could be leveraged by attackers to steal account credentials in the form of NTLM hashes. SubDoc is a feature that enables Word files to load sub-documents from a master document and can be configured to deliver a malicious file from a controlled server. If the document is opened, attackers can obtain an NTLM hash which, once decoded, will reveal a user’s login credentials. As the subDoc attack vector is not currently recognized by antivirus software, detecting the abuse of this feature is challenging. The NJCCIC strongly recommends users avoid enabling macros unless they are aware of a specific reason why a document requires macros to run, and avoid clicking on links or opening attachments delivered with unexpected or unsolicited emails.