Microsoft Office remains the most widely exploited software for malware delivery one quarter after another, according to Atlas VPN research.

The primary reason is that a significant portion of Office users delay essential security updates. That keeps the doors open for fraudsters to inject malicious code through various loopholes. That’s even if they’re already known publicly.

More than 78% of malware targeted Office vulnerabilities during the first quarter of 2022, Atlas VPN research shows. That’s up from 60% during the third quarter of 2021. Fourth-quarter 2021 data isn’t available.

Researchers believe browser exploits are becoming increasingly rare because they update automatically. That’s not the case for Office.

Hackers primarily target users that don’t patch their software as soon as the update is available.

Potential Damage from Attacks

Edvardas Garbenis is public relations manager at Atlas VPN. He said potential damage depends on the type of Microsoft vulnerability that hackers exploit.

Atlas VPN’s Edvardas Garbenis

“Let’s take CVE-2018-0802 as an example, since it was prevalent in Q3 2021 as well as in Q1 2022. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current use,” he said. “If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”

Exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of Office or Microsoft WordPad software, Garbenis said.

“In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file,” he said. “In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) containing a specially crafted file designed to exploit the vulnerability. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file.”

Popularity of Office Draws Hackers

Another reason bad actors target Office is the popularity of the software, Garbenis said.

“It is cost-effective for cybercriminals to develop malware which they will be able to use to attack a wide range of users,” he said. “As Microsoft Office is used by over 1 billion people, according to Statista, it attracts a lot of attention from hackers.”

Some attacks are like casting a wide net to see which fish you catch, Garbenis said. Others are so-called spear phishing attacks, that hackers craft toward a specific “fish.” In this case, it’s a specific company, and perhaps even a person or a group of people within an organization.