HomeWinBuzzer NewsOutdated Microsoft Office Flaw Still a Hotbed for Cyber Attacks

Outdated Microsoft Office Flaw Still a Hotbed for Cyber Attacks

Old bug, new trick: Hackers are weaponizing a patched 2017 Microsoft Office flaw (CVE-2017-11882) to spread Agent Tesla spyware.


Experts have identified that cybercriminals have perfected the exploitation of a long-fixed Microsoft Office flaw, tracked as CVE-2017-11882, to proliferate the notorious known as ‘Agent Tesla‘. This security gap, despite being addressed through patches issued in 2017, remains a potent tool for attackers aiming to infiltrate systems using carefully crafted phishing emails.

Infectious Documents in Disguise

The modus operandi involves deceiving email recipients into opening seemingly benign documents, such as those labeled with business-related terms like “orders” and “invoices”. These misleading labels cloak weaponized Excel documents which, upon being downloaded and opened by unsuspecting users, initiate a clandestine communication with a hostile server. This serves as a conduit for retrieving additional obfuscated malware files without any further input from the user.

The EQNEDT32.EXE component within Office—an equation editor tool—is the vulnerable point, as it mishandles objects in memory, allowing for arbitrary code execution. Despite a patch being available for years, some users have either neglected to apply the updates or are utilizing unsupported versions of Office, which has kept the exploitation viable. has previously warned about the flaw:

Advanced Evasion and Exfiltration Techniques

In the subsequent stages of the attack, the VBS script retrieved executes a highly obfuscated code that sidesteps analysis and downloads a JPG containing a concealed, Base64-encoded DLL file. Hereon, a PowerShell script extracts and executes the malicious code from the image, ultimately fetching the Agent payload. Once embedded, this spyware is capable of logging keystrokes, capturing screenshots, and harvesting credentials, granting the attackers unfettered access to sensitive corporate information.

To confront such threats, companies must actively ensure that all their software is up-to-date with the latest security patches and educate employees on the dangers of unsolicited email attachments. Security firms like emphasize the ongoing evolution of malware delivery methods and stress the importance of staying informed on emerging threats to better defend digital infrastructure from such incursions.

Luke Jones
Luke Jones
Luke has been writing about all things tech for more than five years. He is following Microsoft closely to bring you the latest news about Windows, Office, Azure, Skype, HoloLens and all the rest of their products.

Recent News