OPSWAT Announces FileScan.IO Asset Acquisition. Read More

What to do about Visual Studio Tools for Office (VSTO) - An alternative to VBA used by cybercriminals

VBA (Visual Basic for Applications) macros in Microsoft Office documents have long been abused by threat authors to gain entry to a target system and deploy malware and ransomware. If allowed to run automatically, macros can be leveraged to execute malicious code once an MS document is opened. Even when Microsoft Office disabled macros from running and displayed a notification bar that warned users of the security risks of running these macros, bad actors had various convincing scenarios to trick users into clicking the “Enable Macro” button. To help counter macro-based malware, Microsoft blocks Office macros obtained from the internet in five Office applications by default starting from July 27, 2022. As a result, Access, Excel, PowerPoint, Visio, and Word users cannot enable macro scripts inside untrusted files downloaded from the internet.

This restriction was heralded as a game-changer for the cybersecurity industry. However, does it truly provide safety for MS users? The answer is no. Cybercriminals are adept at finding new and innovative ways to hack and infiltrate your systems.

VSTO attack vector

A new emerging attack vector used by cybercriminals as an alternative to VBA is Visual Studio Tools for Office (VSTO), which can export an Add-In embedded inside an Office document. A VSTO Office file enables attackers to phish users and remotely execute malicious code via the installation of the Add-In.

VSTO Office documents are linked to a Visual Studio Office File application, which is written with .NET. It is able to contain arbitrary code that can be used for malicious purposes, just like VBA. VSTO Office documents can enclose references and metadata to download a VSTO file (a .NET application) from the Internet once users open the file.

Below is our recorded demo showing how a VSTO Word file downloads and executes a harmful application on the victim's machine.

OPSWAT Deep CDR (Content Disarm and Restructure) technology can defuse this type of cyber attack

With a mindset that every file presents a potential threat, Deep CDR detects and neutralizes all suspect executable components embedded in files to ensure all files coming into your organization are not harmful. This is the most effective approach to prevent advanced evasive malware and zero-day attacks.

Watch the demo hereunder to see how the malicious VSTO Word file was deactivated by OPSWAT MetaDefender using Deep CDR.

Learn more about OPSWAT’s Deep CDR technology. To see how we can help provide comprehensive protection to your organization against weaponized documents, talk to an OPSWAT specialist now.


Macros from the internet are blocked by default in Office - Deploy Office

Make phishing great again. VSTO office files are the new macro nightmare?

Sign up for Blog updates!
Get information and insight from the leader in advanced threat prevention.