Abusing Microsoft Word Features for Phishing: “subDoc”


While reading through Microsoft Developer Network Office references, we discovered a Word feature which allows the author to load sub-documents from a master document – aptly named “subDoc.”

The subDoc feature is designed to load a document that is its own file, into the body of another document. This is something that might be used to include information that one document has in another, but that included information could be edited and viewed on its own. Upon further inspection, we determined that we could load remote (internet-hosted) subDoc documents into the host doc, opening the potential for abuse in certain situations.

This feature peaked our curiosity as it resembled a similar Office feature we’ve seen abused in the wild, attachedTemplate. Using the attachedTemplate method, an attacker would be able to send an arbitrary document to a target that would, upon opening, open an authentication prompt in the Windows style. It is this innocent looking functionality that usually catches the target by surprise and provides us the opportunity to harvest credentials remotely.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s