Hackers have long used Word and Excel documents as delivery vehicles for malware, and in 2025, these tricks are far from outdated. From phishing schemes to zero-click exploits, malicious Office files are still one of the easiest ways into a victim’s system.
Here are the top three Microsoft Office-based exploits still making the rounds this year and what you need to know to avoid them.
1. Phishing in MS Office: Still Hackers’ Favorite
Phishing attacks using Microsoft Office files have been around for years, and they’re still going strong. Why? Because they work, especially in business environments where teams constantly exchange Word and Excel documents.
Attackers know that people are used to opening Office files, especially if they come from what looks like a colleague, a client, or a partner. A fake invoice, a shared report, or a job offer: it doesn’t take much to convince someone to click. And once the file is open, the attacker has their chance.
Phishing with Office files often aims to steal login credentials. These documents might include:
- Links to fake Microsoft 365 login pages
- Phishing portals that mimic company tools or services
- Redirect chains that eventually land on credential-harvesting sites
In this ANY.RUN malware analysis session, an Excel file contains malicious phishing link:
View analysis session with Excel file
 |
| Excel file containing malicious link detected inside ANY.RUN sandbox |
When clicked, the victim is taken to a webpage that shows a Cloudflare “Verify you’re a human” check.
 |
| CloudFlare verification passed with ANY.RUN’s automated interactivity |
After clicking through, there’s another redirect; this time to a fake Microsoft login page.
 |
| Malicious link to fake Microsoft login page with random characters |
At first glance, it might look real. But inside the ANY.RUN sandbox, it’s easy to spot red flags. The Microsoft login URL isn’t official; it’s filled with random characters and clearly doesn’t belong to Microsoft’s domain.
Give your team the right tool to detect, investigate, and report threats faster in a secure environment.
Get a trial of ANY.RUN to access advanced malware analysis
This fake login page is where the victim unknowingly hands over their login credentials straight to the attacker.
Attackers are also getting more creative. Lately, some phishing documents come with QR codes embedded in them. These are meant to be scanned with a smartphone, sending the victim to a phishing website or triggering a malware download. However, they can be detected and analyzed with tools like ANY.RUN sandbox too.
2. CVE-2017-11882: The Equation Editor Exploit That Won’t Die
First discovered in 2017, CVE-2017-11882 is still exploited today, in environments running outdated versions of Microsoft Office.
This vulnerability targets the Microsoft Equation Editor – a rarely used component that was part of older Office builds. Exploiting it is dangerously simple: just opening a malicious Word file can trigger the exploit. No macros, no extra clicks needed.
In this case, the attacker uses the flaw to download and run a malware payload in the background, often through a remote server connection.
In our analysis session, the payload delivered was Agent Tesla, a known info-stealer used to capture keystrokes, credentials, and clipboard data.
View analysis session with malicious payload
 |
| Phishing email containing malicious Excel attachment |
In the MITRE ATT&CK section of this analysis, we can see how ANY.RUN sandbox detected this specific technique used in the attack:
 |
| Exploitation of Equation Editor detected by ANY.RUN |
Although Microsoft patched the vulnerability years ago, it’s still useful for attackers targeting systems that haven’t been updated. And with macros disabled by default in newer Office versions, CVE-2017-11882 has become a fallback for cybercriminals who want guaranteed execution.
3. CVE-2022-30190: Follina’s Still in the Game
The Follina exploit (CVE-2022-30190) continues to be a favorite among attackers for one simple reason: it works without macros and doesn’t require any user interaction beyond opening a Word file.
Follina abuses the Microsoft Support Diagnostic Tool (MSDT) and special URLs embedded in Office documents to execute remote code. That means just viewing the file is enough to launch malicious scripts, often PowerShell-based, that contact a command-and-control server.
View analysis session with Follina
 |
| Follina technique detected inside ANY.RUN sandbox |
In our malware analysis sample, the attack went a step further. We observed the “stegocampaign” tag, which indicates the use of steganography – a technique where malware is hidden inside image files.
 |
| Use of Steganography in the attack |
The image is downloaded and processed using PowerShell, extracting the actual payload without raising immediate alarms.
 |
| Image with malicious payload analyzed inside ANY.RUN |
To make matters worse, Follina is often used in multi-stage attack chains, combining other vulnerabilities or payloads to increase the impact.
What This Means for Teams Using MS Office
If your team relies heavily on Microsoft Office for day-to-day work, the attacks mentioned above should be a wake-up call.
Cybercriminals know Office files are trusted and widely used in business. That’s why they continue to exploit them. Whether it’s a simple Excel sheet hiding a phishing link or a Word document silently running malicious code, these files can pose serious risks to your organization’s security.
Here’s what your team can do:
- Review how Office documents are handled internally; limit who can open or download files from outside sources.
- Use tools like ANY.RUN sandbox to inspect suspicious files in a safe, isolated environment before anyone on your team opens them.
- Update all Office software regularly and disable legacy features like macros or the Equation Editor where possible.
- Stay informed about new exploit techniques tied to Office formats so your security team can respond quickly.
Analyze Mobile Malware with ANY.RUN’s New Android OS Support
The threat doesn’t stop at Office files. Mobile devices are now a key target, and attackers are spreading malware through fake apps, phishing links, and malicious APKs.
This means a growing attack surface for businesses and the need for broader visibility.
With ANY.RUN’s new Android OS support, your security team can now:
- Analyze Android malware in a real mobile environment
- Investigate suspicious APK behavior before it hits production devices
- Respond to mobile threats faster and with more clarity
- Support incident response across both desktop and mobile ecosystems
It’s a big step toward complete coverage and it’s available on all plans, including free.
Start your first Android threat analysis today and give your security analysts the visibility they need to protect your mobile attack surface.
