Report: Criminals loved to target PowerPoint in 2017

Recorded Future found that cybercriminals exploited PowerPoint the most in 2017 to steal money and information.

The most widely exploited vulnerability in 2017 was a well-known Microsoft Office bug (CVE-2017-0199), according to new research.

Recorded Future released a report Tuesday detailing the top 10 vulnerabilities used by cybercriminals in 2017. Microsoft products made up seven of the 10. In previous years, Adobe Flash exploits instead topped the list.

Private sector cybersecurity researchers originally became aware of the Microsoft Office-related vulnerability around April 2017. The damage was often caused by hackers sending out infected PowerPoint shows though spearphishing emails.

The hackers usually used this flaw to spread banking trojans and ransomware, experts say. “Attackers are using the PowerPoint Show (PPSX) format — a slide presentation that starts showing automatically — in order to reduce the chances that the victim sees anything amiss with the slides,” Mark Nunnikhoven, vice president of cloud security at Trend Micro, told DarkReading last year.


In many cases where CVE-2017-0199 was abused, a booby-trapped PowerPoint file triggered a script moniker, which allowed for remote code execution (RCE). The RCE happened through a VPN hosting service, obfuscating the attacker’s true location. The malicious component of the file is downloaded while the slideshow blankets the computer screen, making it difficult to spot. (Trend Micro has published a step-by-step technical explanation for how this attack method could be carried out.)

“This weakness affects a slew of Microsoft Office products and allows attackers to download and execute a Visual Basic script containing Powershell commands from a malicious document,” the Recorded Future report reads. “It saw heavy adoption for phishing attacks and we noted a link to 11 distinct pieces of malware during 2017.”

In the past, the vulnerability was also exploited using malicious Rich Text Format (RTF) documents — as seen in the DRIDEX banking Trojan, which targeted online banking users. The malware can steal information by giving the attacker control over the targeted systems, including the ability to install programs or even modify existing data.

The PowerPoint vulnerability specifically affects Microsoft Office 2007,  2010, 2013, 2016 and a few versions of Windows Vista, according to prior research by cybersecurity companies like Trend Micro, FireEye and McAfee. Microsoft has already issued a patch for the flaw, but many systems remain vulnerable.

Latest Podcasts