Press Release

InQuest Discovers Exploit Targeting Decades-Old Microsoft Office Feature to Bypass Detection

Originally posted on

AUSTIN, Texas–(BUSINESS WIRE)–InQuest, a leading provider of large scale threat hunting solutions, announced today that it has uncovered a new tactic that cyber attackers are leveraging to bypass common defensive stacks and infect end-users via Microsoft Office Excel.

Common malware campaigns continue to compromise users across the world successfully. Multiple malware operations, business email scams, phishing, and other nefarious deliveries are currently leveraging an industry-wide blind spot in Microsoft Excel “macrosheets”. However, these techniques are just the current iteration of a continued trend. With millions of lines of code and decades of backwards compatible feature support, there is *always* something with common office productivity software such as Microsoft Office and Adobe PDF.

Data shows that of the most exploited CVEs (Common Vulnerabilities and Exposures) over the last three years, 60% of them are bound to Object Linking and Embedding (OLE), a Microsoft proprietary technology that allows embedding and linking between objects and documents. This file format has since been deprecated for the preferred Open Office standard. However, the legacy format is still supported and some embedded content, like document macros, are still distributed in OLE. Among the most prolifically exploited vulnerabilities over recent years include CVE-2017-11882 and CVE-2017-0199.

The InQuest Deep File Inspection (DFI) stack works to dissect the most tangled attack vectors. Extractions include the normalized embedded logic, semantic content, and coercive text derived through machine vision algorithms like perception hashing and Optical Character Recognition (OCR).

While new threats are exposed continuously, it’s not every day that one is born capable of making it into your average enterprise inbox. A commonality among this and other threats is the requirement of coercion. Through a focus on machine vision, InQuest is able to find new and novel carriers. We have collected dozens of example lures that we encourage folks to glance at to build the subconscious ability to recognize this class of threats.

At the SANS Hackfest Summit earlier this month, InQuest’s CTO Pedram Amini announced the immediate availability to access a gallery of lures used in malicious documents.

View the full gallery here. See the SANS Hackfest Submit talk here.

About InQuest

InQuest is a cybersecurity services and solutions company founded in 2013 by a well-versed team hailing from both the public and private sectors. Our platform is purpose-built by SOC analysts for SOC analysts and network defenders, with cloud and on-premises capabilities in threat prevention, breach detection, threat hunting and data leakage discovery. We’ve automated much of the typically mundane tasks of the SOC analyst, including fully integrating with Joe Sandbox, resulting in analyst level scrutiny of data-in-motion at carrier class speeds as well as data-at-rest, all the while reducing frustration, and in-turn, allowing precious human time to be spent where it matters. For more information, visit


Isabelle Quinn
[email protected]