Hackers have long used Word and Excel documents as delivery vehicles for malware, and in 2025, these tricks are far from outdated. From phishing schemes to zero-click exploits, malicious Office files are still one of the easiest ways into a victim’s system.
Here are the top three Microsoft Office-based exploits still making the rounds this year and what you need to know to avoid them.
Phishing attacks using Microsoft Office files have been around for years, and they’re still going strong. Why? Because they work, especially in business environments where teams constantly exchange Word and Excel documents.
Attackers know that people are used to opening Office files, especially if they come from what looks like a colleague, a client, or a partner. A fake invoice, a shared report, or a job offer: it doesn’t take much to convince someone to click. And once the file is open, the attacker has their chance.
Phishing with Office files often aims to steal login credentials. These documents might include:
In this ANY.RUN malware analysis session, an Excel file contains malicious phishing link:
View analysis session with Excel file
When clicked, the victim is taken to a webpage that shows a Cloudflare “Verify you’re a human” check.
After clicking through, there’s another redirect; this time to a fake Microsoft login page.
At first glance, it might look real. But inside the ANY.RUN sandbox, it’s easy to spot red flags. The Microsoft login URL isn’t official; it’s filled with random characters and clearly doesn’t belong to Microsoft’s domain.
Give your team the right tool to detect, investigate, and report threats faster in a secure environment.
Get a trial of ANY.RUN to access advanced malware analysis
This fake login page is where the victim unknowingly hands over their login credentials straight to the attacker.
Attackers are also getting more creative. Lately, some phishing documents come with QR codes embedded in them. These are meant to be scanned with a smartphone, sending the victim to a phishing website or triggering a malware download. However, they can be detected and analyzed with tools like ANY.RUN sandbox too.
First discovered in 2017, CVE-2017-11882 is still exploited today, in environments running outdated versions of Microsoft Office.
This vulnerability targets the Microsoft Equation Editor – a rarely used component that was part of older Office builds. Exploiting it is dangerously simple: just opening a malicious Word file can trigger the exploit. No macros, no extra clicks needed.
In this case, the attacker uses the flaw to download and run a malware payload in the background, often through a remote server connection.
In our analysis session, the payload delivered was Agent Tesla, a known info-stealer used to capture keystrokes, credentials, and clipboard data.
View analysis session with malicious payload
In the MITRE ATT&CK section of this analysis, we can see how ANY.RUN sandbox detected this specific technique used in the attack:
Although Microsoft patched the vulnerability years ago, it’s still useful for attackers targeting systems that haven’t been updated. And with macros disabled by default in newer Office versions, CVE-2017-11882 has become a fallback for cybercriminals who want guaranteed execution.
The Follina exploit (CVE-2022-30190) continues to be a favorite among attackers for one simple reason: it works without macros and doesn’t require any user interaction beyond opening a Word file.
Follina abuses the Microsoft Support Diagnostic Tool (MSDT) and special URLs embedded in Office documents to execute remote code. That means just viewing the file is enough to launch malicious scripts, often PowerShell-based, that contact a command-and-control server.
View analysis session with Follina
In our malware analysis sample, the attack went a step further. We observed the “stegocampaign” tag, which indicates the use of steganography – a technique where malware is hidden inside image files.
The image is downloaded and processed using PowerShell, extracting the actual payload without raising immediate alarms.
To make matters worse, Follina is often used in multi-stage attack chains, combining other vulnerabilities or payloads to increase the impact.
If your team relies heavily on Microsoft Office for day-to-day work, the attacks mentioned above should be a wake-up call.
Cybercriminals know Office files are trusted and widely used in business. That’s why they continue to exploit them. Whether it’s a simple Excel sheet hiding a phishing link or a Word document silently running malicious code, these files can pose serious risks to your organization’s security.
The threat doesn’t stop at Office files. Mobile devices are now a key target, and attackers are spreading malware through fake apps, phishing links, and malicious APKs.
This means a growing attack surface for businesses and the need for broader visibility.
With ANY.RUN’s new Android OS support, your security team can now:
It’s a big step toward complete coverage and it’s available on all plans, including free.
Start your first Android threat analysis today and give your security analysts the visibility they need to protect your mobile attack surface.
