A new threat on Word documents was recently found whereby attackers infect a user’s personal computer through Word documents. The attack targets a feature that allows the creator of the document to embed videos directly in Word files and users can play these videos without getting any security warnings.

Microsoft Office programs have been a victim to embedded malware in the past, but it usually comes with a security warning. In a Word document with an embedded macro, the user will be asked to permit execution, signalling the user that macros can be a potential threat.

Researchers at Cymulate discovered the vulnerability inside the MS Word Document’s online video feature, which allow users to embed a reference to an online video directly into the document such as Vimeo and YouTube. The embedded video can be played when the document is opened. The attackers exploit this feature by manually altering the reference to a video inside a Word document. Instead of linking to the original video, the embedded video points to a malicious code.

For most people, they see a Word document as a single file with a .docx extension without seeing the bits and pieces that actually go into creating a file. In reality, .docx are actually ZIP archives that can be opened and unpacked to reveal the other elements of the document such as an XML file called .xml, which contains the code for any embedded videos in the form of HTML iframes. An iframe tag creates an embedded Internet Explorer window that displays content from another location when the document is opened.

Attackers replace the iframe HTML with a malicious HTML or JavaScript code. They replace the iframe content with their own code that can download an executable from the internet. The embedded malicious video will ask the user if they want to run the downloaded executable, but it doesn’t display a security warning. Once the user agrees, the executable file will eventually infect the machine.

According to Avihai Ben-Yossef, CTO and Co-Founded of Cymulate, since the attackers can put whatever JavaScript they like into the iframe content, they also create potential threats for “further execution scenarios”.

This vulnerability is similar to an attack that was first identified by Naked Security in 2016, where attackers exploited references to Microsoft Office’s DDE (Dynamic Data Exchange) feature. This affected an undocumented feature that allowed DDE references to start any application and give commands to execute. Microsoft has since responded to the issue saying that they are turning off the DDE by default in Word.

As always, be super anal about opening unsolicited email attachments and downloads. Never open or download anything that looks suspicious, especially if the file comes from an anonymous or sender you aren’t familiar with.