Researchers have discovered another way through which bad actors may phish! The method employs exploiting a vulnerability in the Microsoft Word Online Video feature. Through this bug, an attacker can replace the iFrame code of the video with a malicious code to conduct a phishing attack.
Bug Discovered In Microsoft Word Online Video Feature
Researchers from the cyber attack simulation firm Cymulate have discovered a bug in the Microsoft Word online video feature. According to their findings, an attacker can exploit the vulnerability to manipulate the embedded video’s iFrame code.
They have also shared a video showing the exploit.
Exploiting This Bug May Trigger Phishing Attacks
As demonstrated by the researchers, it is very easy for an attacker to modify the code of any YouTube video embedded in a Word document. They simply have to edit the “document.xml” file and replace the video link with the malicious payload. The researchers fear that attackers may exploit this technique for phishing attacks. While most internet users today all know to ignore email phishing. However, now, attackers may trick them to open malicious Word files with YouTube videos.
Through this trick, the target users may not suspect anything malicious since opening the document with the embedded video does not generate a warning.
The bug allegedly affects Microsoft Office 2016 and all earlier versions with this feature.
No CVE Assigned…?
According to SCMedia, Cymulate reported the vulnerability to Microsoft three months ago. However, the flaw has not qualified for a CVE yet. Moreover, Microsoft’s Senior Director Jeff Jones also said that the “product is properly interpreting HTML”.
“The product is properly interpreting HTML as designed — working in the same manner as similar products.”
At present, the only method to mitigate this bug, as recommended by the researchers, is to block any Word documents with embedded videos.