Microsoft Office templates hacked to run malicious code by attackers

1 min read


  • A cyberattack campaign called “PhantomBlu” targeted employees in US-based organizations with phishing emails.
  • The attackers used social engineering tactics and advanced evasion techniques to deploy malicious code by exploiting Microsoft Office templates.

In the PhantomBlu campaign, attackers sent phishing emails appearing to be from a legitimate accounting service, instructing recipients to download an attached Office Word document. The email contained detailed instructions to access the document, which required the recipients to enter a password and enable editing to view their “salary graph.” This step exploited a legitimate Windows feature, Object Linking and Embedding (OLE), to execute malicious code discreetly. The campaign utilized OLE template manipulation to deliver the NetSupport Remote Access Trojan (RAT) via email, hiding the payload outside the document to bypass security measures. Upon clicking an embedded printer icon in the document, a zip file containing an LNK file opened, leading to the execution of a PowerShell dropper designed to retrieve and execute the NetSupport RAT. The RAT’s configuration files revealed its command and control servers, highlighting the campaign’s communication backbone. The PhantomBlu campaign represents a unique blend of sophisticated evasion tactics and social engineering.

Previous Story

Learn to safeguard your online identity with our complimentary workshop

Next Story

Keeper Security warns of top cyber threats this tax season

Latest from News

US sanctions Kaspersky Lab for Russia ties

TLDR: The Biden administration announced sanctions against 12 executives and senior leaders of Kaspersky Lab, a Russia-based cybersecurity company. The Commerce Department banned Kaspersky