Hackers have long used Word and Excel documents as vehicles for malware, and in 2025 these tricks are far from the elderly. From phishing schemes to zero click feats, malicious office files are still one of the easiest ways to the victim.
Here are the top three feats by Microsoft Office, which still do rounds this year, and what you need to know to avoid them.
1. Phisching in the MS office: favorite hackers
Phishing attacks using Microsoft Office files have been around for many years and they are still strongly. Why? Because they work, especially in business conditions, where teams are constantly exchanged with Word and Excel documents.
Attackers know that people are used to opening office files, especially when they come from what is like a colleague, client or partner. Fake account -facto, general report or job offer: No much to convince someone to press. And as soon as the file is open, the attacker has his chance.
Phishing with office files are often aimed at theft of accounts. These documents can include:
- Links to Fake Pages to login Microsoft 365
- Phishing portals that mimic tools or services
- Redirect chains that end up landing on the site
In this session of analysis malware.
View the analysis session with Excel file
 |
| The Excel file containing a malicious link found in any. |
When pressed by the victim, the web page that shows Cloudflare “Make sure you check the person”.
 |
| Check Cloudflare passed with automated UP.RUN interactivity |
By pressing, there is another redirect; This time on the fake Microsoft entry page.
 |
| Malicious reference to fake Microsoft login page with random characters |
At first glance, it may look real. But inside the sandbox, it is easy to notice red flags. Microsoft’s login URL is not official; It is filled with random characters and clearly does not belong to the Microsoft domain.
Give your team the right tool for detecting, investigating and threatening reports faster in a safe environment.
Get the test of any.Run To access advanced analysis of malware
This fake logging page where the victim is unconsciously transmitted to the entry directly to the attacker.
The attackers also become more creative. Recently, some phishing documents have been shipped with QR codes built into them. They should be scanned by a smartphone by sending a victim to phishing -sight or running malware. However, they can be detected and analyzed with the help of tools, like any sand box.
2. CVE-2017-1182: Editor of the equation that will not die
It was first discovered in 2017, the CVE-2017-11882 is still exploited today, in the environment that works outdated versions of Microsoft Office.
This vulnerability focuses on Microsoft equations editor – rarely used component that was included in the construction of old offices. Operation is dangerous: just opening a malicious word file can cause operation. No macros, no additional clicks.
In this case, the attacker uses a deficiency to download and start the useful load of malware in the background, often through a remote connection to the server.
In our series of analysis, a useful load, was the Tesla agent, a known information theft used to capture the key, credentials and clipboard data.
Session Analyzing Views with a Nasty Useful Load
 |
| Phishing -electronic mail containing malicious investment investment |
In the MITER ATT & CK section, we see how any sand box revealed this specific technique used in the attack:
 |
| The exploitation of the equation editor revealed by any.Run |
Although Microsoft secured vulnerability years ago, it is still useful for the orientation systems that have not been updated. And with macro disabled by default in new office versions, Cve-2017-11882 became a backup for cybercriminals who want guaranteed execution.
3. Cve-2012-30190: Follina still in the game
Follina Exploit (Cve-2012-30190) remains favorite among the attackers for one simple reason: it works without macros and requires no interaction of users outside the opening of the Word file.
Follina abuses Microsoft’s diagnostic tool (MSDT) and special URL built into office documents to execute the remote code. This means that just browsing the file is enough to launch malicious scenarios, often based on PowerShell that turn to the server team and control.
View the analysis session with Folina
 |
| Follina’s technique detected inside any sandbox |
In our sample analysis of malware, the attack went on. We observed the “Stegocampaign” tag, which indicates the use of stegography – technique when malicious software is hidden inside the image files.
 |
| Using stegography in the attack |
The image is loaded and processed using PowerShell, removing the actual useful load without lifting immediate alarm.
 |
| Image with a malicious useful load, analyzed in any.Run |
Worse, Follina is often used in multi -stage attack chains, combining other vulnerabilities or useful loads to increase exposure.
What does it mean for teams using MS Office
If your team greatly relies on Microsoft Office on everyday work mentioned above should be calling for wakefulness.
Cybercriminals know that office files trust and widely used in business. That’s why they continue to operate them. Whether it is an Excel Simple letter that hides a phishing -leisure or document that silently triggers the malicious code, these files may present serious risks to the security of your organization.
That’s what your team can do:
- Review how documents in the office are being considered on the Internet; Limmy who can open or upload files from external sources.
- Use tools like any.Run A sand box for reviewing suspicious files in a safe, isolated setting before anyone in your team will open them.
- Update all office software regularly and disable hereditary functions such as macros or equation editor where possible.
- Be aware of About new operating methods related to Office formats so that your security team can respond quickly.
Analyze the mobile malicious software using the new Android.RUN support
The threat does not stop in office files. Mobile devices are now a key goal, and the attackers distribute malicious software through fake applications, phishing -malt and malicious opt.
This means that a growing surface of the business attack and the need for extensive visibility.
Using new Android OS support. Your security team can now:
- Analyze the malicious Android software in real mobile settings
- Explore suspicious APK behavior before it gets into manufacturing devices
- Respond to mobile threats faster and with greater clarity
- Support responding to the incident both on the working and mobile ecosystems
This is a big step to the full coating, and it is available in all plans, including free.
Start your first analysis of Android threats today and give the safety analysts the visibility required to protect your mobile attack surface.
